Sergey Nivens - Fotolia
A type of ransomware called Stampado is available for a low price on the dark web. The ransomware is a threat to networks and external drives. How does Stampado spread to removable drives, and how can enterprises protect their networks from this easy to get ransomware?
Ransomware is a growing industry, and new variants are continually showing up in the wild. The Stampado ransomware is interesting because it's being sold for a relatively low price of $39 on the dark web, and it includes self-propagating methods to spread itself through networks. The purchase of Stampado comes with a license that's being sold as a "lifetime guarantee" and has the ability to encrypt files of over 1,200 different extensions.
If there's no payment sent to the ransomware owner within 96 hours of being infected, all of the victim's encrypted files are then deleted. During this time, the malware deletes a random file every six hours until it reaches the deadline and wipes everything. The Stampado ransomware owners are using these deadlines to scare victims into paying. Also, Stampado has been seen encrypting other ransomware files and having the victims pay double for the files they want back.
Unlike many other variants that demand bitcoin payments via Tor, the Stampado ransomware displays an email address that it asks victims to contact. When doing so, they offer the ability to send one encrypted file to them to be decrypted for free to prove that they have the decryption key. This is their version of "proof of life" when it comes to ransomware.
The malware propagates itself normally via spam, drive-by downloads or through drives that have been infected with replicating versions of itself. The malware will install itself like other applications in the %AppData% directory as scvhost.exe -- this is an attempt to mimic the valid Windows executable of svchost.exe.
Once installed, the ransomware replicates to all network and removable drives and starts encrypting files on them. While attaching to these drives, it makes a copy of itself that also hides all the current files and has them replaced with a shortcut to the installed malware. Once an unsuspecting user clicks the file (shortcut), it executes the malware that's lying dormant. After installation, the Stampado ransomware goes through known areas of a system to look for files, including home directories, and excludes particular directories of no interest to quicken the damage.
If an enterprise is infected with Stampado ransomware, the first thing to do is not pay the ransom. Paying the ransom allows these cybercriminals to continue developing other variants. The next step would be to find the process and kill it. This would at least stop the malware from deleting files in the meantime, and it will give you time to think. The next step would be to go to antimalware vendor Emsisoft and download the decryption code for the Stampado ransomware; Emsisoft CTO Fabian Wosar was able to create a tool that generates the code after going through the steps in the link.
In order to protect yourself from ransomware, follow the tried and true techniques of staying patched, not clicking on links you don't recognize in emails and backing up your data. These three areas of defense are tested techniques to mitigate being infected by ransomware.
Ask the Expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)
Learn about a new form of ransomware, doxware
Find out how to prevent and respond to a healthcare ransomware infection
Discover how to prevent ransomware attacks
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Matthew Pascucci
Container security continues to be a pressing issue as containers and hosts are being used more frequently. Learn how to keep your enterprise safe ... Continue Reading
While there are no set rules, there are some security recommendations when it comes to virtual machines running on one host. Learn the best practices... Continue Reading
Poisoned search results have spread the Zeus Panda banking Trojan throughout Google. Learn what this means, how search engine poisoning works and ... Continue Reading