Stampado is one of the many new ransomware strains we have seen in 2016. Stampado was first seen in the wild in July 2016, as one of the cheapest pieces of ransomware available on the underground forums.
Figure 1: Stampado sales ad on dark web
In this report, we will provide an analysis of Stampado ransomware, shown to be capable of encrypting files with more than 1,200 file extensions and containing self-propagating features. In addition to the typical ransom demand, this variant threatens to delete a randomly selected file every six hours until payment and, if no payment is received within 96 hours, all files will be permanently deleted.
Stampado typically arrives via spam e-mail or drive-by downloads. The file we examined was packed using UPX packer and written in AutoIt. Upon unpacking and decompilation, the AutoIt code appears to be obfuscated.
Figure 2: Obfuscated Code
Upon deobfuscation, the code appears as shown below:
Figure 3: Deobfuscated code
Installation and persistence
The malware installs itself in the %AppData% folder with the name scvhost.exe in an attempt to look like a genuine Windows process (svchost.exe) and also creates the following autostart registry entry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run", "Windows Update" %AppData%\scvhost.exe
Stampado runs itself from the new location as scvhost.exe and terminates the current process.
Figure 4: Installation and persistence code
The main functionality of the Stampado variant is illustrated in the infographic below:
Figure 5: Stampado overall activity diagram
This ransomware also has a worm-like spreading functionality. It attempts to make a copy of itself on the removable drives and network drives reachable from the infected system. The malware also registers a callback function to monitor the removable drives; this way, it can infect the removable drive as soon as it connects to the compromised system.
It drops a copy of itself at [DrivePath]\myDisk\drivers.exe with file attributes set to +SHR to hide itself, creates file [DrivePath]\autorun.inf and creates shortcut files with the names of existing files pointing to malware executable, after hiding the original files. This will cause the malware executable to run when the user clicks on any shortcut file.
Figure 6: Self-replication code
Before starting file encryption, the malware protects its process from being terminated by exploiting an old kernel bug (setting the “ProcessSelfDelete” flag). This trick was verified to be working on Windows 7 64-bit.
Figure 7: Process Protection Code
Encryption over encryption
Stampado will not spare you even if you have already been infected with other ransomware strains and will re-encrypt already encrypted files. The victim has to pay ransom twice to get the original files back. This ransomware is targeting files already encrypted by multiple ransomware families along with a long list of important filetypes. Some of the targeted files encrypted by other ransomware strains are:
"*.locky;*.zepto;*.cerber;*.crypt;*.crypz;*.cryptowall; *.enciphered;*.cryptolocker;*.cryp1; *.lol!;*.breaking_bad; *.crypted;*.encrypted;*.xxx;*.crjoker;*.encrypt;*.zcrypt;*.EnCiPhErEd;"
Stampado encrypts files using AES (Advanced Encryption Standard) and a Symmetric key encryption algorithm (which uses same key for encryption and decryption) with key length of 256. It generates encryption key based on following data:
salt string + embedded e-mail + “stamp” + ComputerName + CPUArch + OSArch + “pado”
Figure 8: Part of the Stampado encryption key generation code
Note: salt string is not present in all samples(not present in sample analyzed)
It searches following folders for files to encrypt from home drive:
Figure 9: Building list of folders for file encryption
The malware excludes the following folders from the home drive: Windows, Program Files, User Profiles.
After building a list of folders to encrypt, Stampado will start encrypting files one by one. It will create a temporary file with random name including ~(7 random characters).tmp, for example, ~afzyatd.tmp, ~irusgld.tmp, or ~ifecffl.tmp, to save the intermediate encrypted file. Once fully encrypted, the original file gets deleted and the temporary file gets renamed to a hexadecimal string with a “.locked” extension.
While encrypting files, Stampado avoids wasting its time on unimportant files by excluding files if their path or name contains the following strings:
- “Temporary Internet Files”
The file stampado_debug.txt is possibly what was used by the author during development of the malware.
Stampado will also maintain two files in the %AppData% folder with hexadecimal names; one file is for the list of encrypted files and the other is for the status of malware activities.
Figure 10: List of encrypted files maintained by Stampado
Figure 11: Maintained status of activity during different stages
When the encryption of all the target file types is complete, Stampado will display a ransom note as shown below:
Figure 12: Stampado ransom note
The victim is instructed to contact the attacker over the displayed email address for further information on the ransom required and method of payment. The malware says it will delete the key from the command and control (C&C) server after 96 hours, but this is not true, as there is no private key involved. But it does attempt to delete all encrypted files from the system if no ransom is paid within 96 hours.
Cleanup and remediation
The ransom note shows the unique ID of the victim and includes a text box to accept the decryption key. If accepted and submitted, the key will decrypt the files and delete itself from system. The variants of Stampado we have seen use symmetric encryption, and the encryption key is generated locally based on the victim’s system details along with other constant values — without any communication to the C&C server.
Figure 13: Decryption and cleanup window
To clean a system after a Stampado infection, you will either need to enter the decryption code or kill the process and remove the autostart entries, which would save your files from being deleted. If you are unable to kill the process, you can run the following command in order to remove the autostart registry entry, which prevents the malware from running after system restart:
REG DELETE HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Windows Update"
Restart the system, run folowing command on command prompt to delete scvhost.exe from %AppData% folder and use the freely available decrypter by Fabian Wosar to decrypt your files.
CD %APPDATA% DEL scvhost.exe
Ransomware remains one of the most prevalent threats in 2016. We have seen over a dozen new ransomware families in the wild actively targeting users. Fortunately, in the case of Stampado, it is relatively easy to recover your files. We advise you not to pay the ransom, as it is possible to decrypt your files without doing so. To protect your data against ransomware, always keep your software updated and conduct regular backups.