Another Decrypted Piece of Ransomware

Tuesday, July 26, 2016 @ 04:07 PM gHale


New strains of ransomware keep releasing and more security professionals are staying on top of their games and issuing decrypters as soon as possible.

That is the case where Fabian Wosar, a malware analyst at Emsisoft, created a free decyrpter that can unlock files encrypted by the just-discovered Stampado ransomware.

RELATED STORIES
Ransomware Knock Off a Weaker Version
New Ransomware Decrypter Available
Decrypter Available for Ransomware
Copycat Ransomware Making Rounds

Researchers from Heimdal Security first spotted the ransomware ten days ago.

Stampado ended up featured in an advertisement on the Dark Web as a Ransomware-as-a-Service (RaaS).

Its author was selling the ransomware for $39, compared to other RaaS services that sold for hundreds and thousands of dollars.

Security researchers were eventually able to find some samples of this ransomware uploaded on VirusTotal. It did not take long for Wosar to find a weakness in Stampado.

The ransomware ends up coded in the AutoIt scripting language, appends the .locked extension to all locked files, and uses a symmetric AES-256 encryption algorithm, Wosar said.

The ransomware still relies on infected victims contacting the attackers via email to negotiate the ransom payment, instead of using an automated website as most other ransomware families do, usually hosted on the Tor network.

To use Wosar’s free decrypter, which you can download from Emsisoft’s website, users need to have on hand the email address and the ID Stampado used for their computers.

To run the Stampado decrypter, add the email address and ID to the Options section of the app, and press the Decrypt button when ready.

Running the decrypter is a trivial operation, but just to be safe and avoid data loss, create a copy of the encrypted files just in case the decryption process runs into errors and destroys some of your files, researchers said.