A look at recent Stampado ransomware variant

Share on FacebookTweet about this on TwitterShare on LinkedInShare on RedditShare on Google+Share on TumblrPin on PinterestDigg this

Stampado is one of the many new ransomware strains we have seen in 2016. Stampado was first seen in the wild in July 2016, as one of the cheapest pieces of ransomware available on the underground forums.

Figure 1: Stampado sales ad on dark web

In this report, we will provide an analysis of Stampado ransomware, shown to be capable of encrypting files with more than 1,200 file extensions and containing self-propagating features. In addition to the typical ransom demand, this variant threatens to delete a randomly selected file every six hours until payment and, if no payment is received within 96 hours, all files will be permanently deleted.

Infection Cycle

Stampado typically arrives via spam e-mail or drive-by downloads. The file we examined was packed using UPX packer and written in AutoIt. Upon unpacking and decompilation, the AutoIt code appears to be obfuscated.

Obfuscated code

Figure 2: Obfuscated Code

Upon deobfuscation, the code appears as shown below:

deobfuscated code

Figure 3: Deobfuscated code

Installation and persistence

The malware installs itself in the %AppData% folder with the name scvhost.exe in an attempt to look like a genuine Windows process (svchost.exe) and also creates the following autostart registry entry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run", "Windows Update" %AppData%\scvhost.exe

Stampado runs itself from the new location as scvhost.exe and terminates the current process.

installation and persistance

Figure 4: Installation and persistence code

The main functionality of the Stampado variant is illustrated in the infographic below:

Stampado overall activity diagram

Figure 5: Stampado overall activity diagram


This ransomware also has a worm-like spreading functionality. It attempts to make a copy of itself on the removable drives and network drives reachable from the infected system. The malware also registers a callback function to monitor the removable drives; this way, it can infect the removable drive as soon as it connects to the compromised system.

It drops a copy of itself at [DrivePath]\myDisk\drivers.exe with file attributes set to +SHR to hide itself, creates file [DrivePath]\autorun.inf and creates shortcut files with the names of existing files pointing to malware executable, after hiding the original files. This will cause the malware executable to run when the user clicks on any shortcut file.

Self Replication Code

Figure 6: Self-replication code

Process Protection

Before starting file encryption, the malware protects its process from being terminated by exploiting an old kernel bug (setting the “ProcessSelfDelete” flag). This trick was verified to be working on Windows 7 64-bit.

Process Protection Code

Figure 7: Process Protection Code

Encryption over encryption

Stampado will not spare you even if you have already been infected with other ransomware strains and will re-encrypt already encrypted files. The victim has to pay ransom twice to get the original files back. This ransomware is targeting files already encrypted by multiple ransomware families along with a long list of important filetypes. Some of the targeted files encrypted by other ransomware strains are:

*.enciphered;*.cryptolocker;*.cryp1; *.lol!;*.breaking_bad;

Stampado encrypts files using AES (Advanced Encryption Standard) and a Symmetric key encryption algorithm (which uses same key for encryption and decryption) with key length of 256. It generates encryption key based on following data:

salt string + embedded e-mail + “stamp” + ComputerName + CPUArch + OSArch + “pado”

Encryption Key Generation Code

Figure 8: Part of the Stampado encryption key generation code

Note: salt string is not present in all samples(not present in sample analyzed)

It searches following folders for files to encrypt from home drive:

Building list of folders for file encryption

Figure 9: Building list of folders for file encryption

The malware excludes the following folders from the home drive: Windows, Program Files, User Profiles.

After building a list of folders to encrypt, Stampado will start encrypting files one by one. It will create a temporary file with random name including ~(7 random characters).tmp, for example, ~afzyatd.tmp, ~irusgld.tmp, or ~ifecffl.tmp, to save the intermediate encrypted file. Once fully encrypted, the original file gets deleted and the temporary file gets renamed to a hexadecimal string with a “.locked” extension.

While encrypting files, Stampado avoids wasting its time on unimportant files by excluding files if their path or name contains the following strings:

  • “Temporary Internet Files”
  • “INetCache”
  • “desktop.ini”
  • “stampado_debug.txt”

The file stampado_debug.txt is possibly what was used by the author during development of the malware.

Stampado will also maintain two files in the %AppData% folder with hexadecimal names; one file is for the list of encrypted files and the other is for the status of malware activities.

List maintained for encrypted files

Figure 10: List of encrypted files maintained by Stampado

Maintained status of activity during different stages

Figure 11: Maintained status of activity during different stages

When the encryption of all the target file types is complete, Stampado will display a ransom note as shown below:

Ransom Note

Figure 12: Stampado ransom note

The victim is instructed to contact the attacker over the displayed email address for further information on the ransom required and method of payment. The malware says it will delete the key from the command and control (C&C) server after 96 hours, but this is not true, as there is no private key involved. But it does attempt to delete all encrypted files from the system if no ransom is paid within 96 hours.

Cleanup and remediation

The ransom note shows the unique ID of the victim and includes a text box to accept the decryption key. If accepted and submitted, the key will decrypt the files and delete itself from system. The variants of Stampado we have seen use symmetric encryption, and the encryption key is generated locally based on the victim’s system details along with other constant values — without any communication to the C&C server.

Decryption and Cleanup Window

Figure 13: Decryption and cleanup window

To clean a system after a Stampado infection, you will either need to enter the decryption code or kill the process and remove the autostart entries, which would save your files from being deleted. If you are unable to kill the process, you can run the following command in order to remove the autostart registry entry, which prevents the malware from running after system restart:

REG DELETE HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Windows Update"

Restart the system, run folowing command on command prompt to delete scvhost.exe from %AppData% folder and use the freely available decrypter by Fabian Wosar to decrypt your files.


DEL scvhost.exe


Ransomware remains one of the most prevalent threats in 2016. We have seen over a dozen new ransomware families in the wild actively targeting users. Fortunately, in the case of Stampado, it is relatively easy to recover your files. We advise you not to pay the ransom, as it is possible to decrypt your files without doing so. To protect your data against ransomware, always keep your software updated and conduct regular backups.


Share on FacebookTweet about this on TwitterShare on LinkedInShare on RedditShare on Google+Share on TumblrPin on PinterestDigg this