Sergey Nivens - Fotolia

How does Stampado ransomware spread to external drives?

The Stampado ransomware is a low-cost threat to networks and external drives. Expert Matthew Pascucci explains how Stampado works and how enterprises should handle it.

A type of ransomware called Stampado is available for a low price on the dark web. The ransomware is a threat to networks and external drives. How does Stampado spread to removable drives, and how can enterprises protect their networks from this easy to get ransomware?

Ransomware is a growing industry, and new variants are continually showing up in the wild. The Stampado ransomware is interesting because it's being sold for a relatively low price of $39 on the dark web, and it includes self-propagating methods to spread itself through networks. The purchase of Stampado comes with a license that's being sold as a "lifetime guarantee" and has the ability to encrypt files of over 1,200 different extensions.

If there's no payment sent to the ransomware owner within 96 hours of being infected, all of the victim's encrypted files are then deleted. During this time, the malware deletes a random file every six hours until it reaches the deadline and wipes everything. The Stampado ransomware owners are using these deadlines to scare victims into paying. Also, Stampado has been seen encrypting other ransomware files and having the victims pay double for the files they want back.

Unlike many other variants that demand bitcoin payments via Tor, the Stampado ransomware displays an email address that it asks victims to contact. When doing so, they offer the ability to send one encrypted file to them to be decrypted for free to prove that they have the decryption key. This is their version of "proof of life" when it comes to ransomware.

The malware propagates itself normally via spam, drive-by downloads or through drives that have been infected with replicating versions of itself. The malware will install itself like other applications in the %AppData% directory as scvhost.exe -- this is an attempt to mimic the valid Windows executable of svchost.exe.

Once installed, the ransomware replicates to all network and removable drives and starts encrypting files on them. While attaching to these drives, it makes a copy of itself that also hides all the current files and has them replaced with a shortcut to the installed malware. Once an unsuspecting user clicks the file (shortcut), it executes the malware that's lying dormant. After installation, the Stampado ransomware goes through known areas of a system to look for files, including home directories, and excludes particular directories of no interest to quicken the damage.

If an enterprise is infected with Stampado ransomware, the first thing to do is not pay the ransom. Paying the ransom allows these cybercriminals to continue developing other variants. The next step would be to find the process and kill it. This would at least stop the malware from deleting files in the meantime, and it will give you time to think. The next step would be to go to antimalware vendor Emsisoft and download the decryption code for the Stampado ransomware; Emsisoft CTO Fabian Wosar was able to create a tool that generates the code after going through the steps in the link.

In order to protect yourself from ransomware, follow the tried and true techniques of staying patched, not clicking on links you don't recognize in emails and backing up your data. These three areas of defense are tested techniques to mitigate being infected by ransomware.

Ask the Expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Learn about a new form of ransomware, doxware

Find out how to prevent and respond to a healthcare ransomware infection

Discover how to prevent ransomware attacks

Dig Deeper on Threats and vulnerabilities