Crooks are advertising a new breed of ransomware on the Dark Web, calling it Stampado and selling it for only a fraction of the price of other ransomware variants, namely a meager $39 for a lifetime license.
While most ransomware families cost hundreds of dollars to rent each month, Stampado decided to open the gates of hell and unleash cheap ransomware on the market, with a slew of features that allow subsequent crooks to focus on distribution and leave malware coding to the Stampado crew.
According to, the cyber-security vendor that spotted Stampado’s ad, the ransomware has the same features, at least on paper, that are also found in the infamous and still-undecrypted CryptoLocker ransomware.
Stampado available as a RaaS offering
Crooks are offering Stampado via a Ransomware-as-a-Service (RaaS) model that has become very popular among cyber-criminals. This means that a buyer would receive a builder or get access to a control panel where they could create their custom ransomware file and then embed it in other documents to distribute as spam, adware, or fake installers.
Stampado’s authors say that they can provide ransomware payloads in formats such as EXE, BAT, DLL, SCR, and CMD.
Along with the Dark Web advertisement, the crooks also recorded a video to guide potential buyers through the infection process. This video provided some clues of how Stampado works.
The ransomware locks files with the “.locked” file extension, also used by other ransomware families, and comes with a very well worded ransom note that includes all the details to pay the ransom.
No Stampado infections detected until now
The ransom fee is probably customizable based on each buyer’s preference, along with a grace period, which in the video appears to be 96 hours.
After that, Stampado will delete a random file from the infected computer every six hours. This behavior is similar to the Jigsaw ransomware, which also deletes user files to scare the victim into paying the ransom.
No Stampado samples were detected in the wild at the time of writing, so neither Heimdal Security nor other experts Softpedia contacted can tell if the ransomware could be decrypted.
This entry passed through the Full-Text RSS service – if this is your content and you’re reading it on someone else’s site, please read the FAQ at fivefilters.org/content-only/faq.php#publishers.
Recommended article from FiveFilters.org: .