Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Stampado (.locked) Ransomware Help & Support - scvhost.exe


  • Please log in to reply
5 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:55 AM

Posted 22 July 2016 - 10:55 PM

Stampado is a ransomware created in the AutoIT scripting language that encrypts a victims files using AES encryption. When encrypting files it will target the victim's %UserProfile% folder and then other drive letter. All encrypted files will have the extension .locked appended to the filenames.

The files targeted by Stampado are:
 
.jpg, .jpeg, .gif, .bmp, .c, .doc, .docx, .ppt, .pptx, .xls, .xlsx, .mov, .mp3, .cpp, .au3, .pas, .php, .wav, .wma, .wmv, .mp4, .rar, .zip, .7z, .001, .html, .pdf, .txt, .ai, .dmg, .dwg, .ps, .flv, .xml, .skp, .aiml, .sql, .cdr, .svg, .png, .ico, .ani, .m4a, .avi, .csv, .d3dbsp, .sc2save, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .bak, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .map, .wmo, .itm, .sb, .fos, .mcgame, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .001, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .DayZProfile, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, .unity3d, .wotreplay, .xxx, .desc, .py, .m3u, .js, .css, .rb, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .cdr, .indd, .eps, .pdd, .psd, .dbfv, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .pst, .accdb, .mdb, .pptm, .ppsx, .pps, .xlk, .xlsb, .xlsm, .wps, .docm, .odb, .odc, .odm, .odp, .ods, .odt
 
This ransomware is currently located in %UserProfile%\AppData\Roaming\scvhost.exe and has an autorun of:
 
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update    %UserProfile%\AppData\Roaming\scvhost.exe
 
This ransomware can be decrypted using a decryptor made by Fabian Wosar of Emsisoft. In order to decrypt your files you will need the email address from the lock screen and the unique user id.  More info about the decryptor can be found here: https://decrypter.emsisoft.com/stampado
 
Associated email addresses are ransom64@sigaint.com and paytodecrypt@sigaint.org.

 

stampado.png



BC AdBot (Login to Remove)

 


#2 shicomu

shicomu

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 08 August 2016 - 06:40 AM

One of my customers was hit by stampado.

I was just a little bit late to catch the screen with the ID.

Shortly after the machine was on the desktop the screen went and did not come back... :(

 

I there any way to get the screen back ? 



#3 MRagusta

MRagusta

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indonesia
  • Local time:01:55 PM

Posted 31 August 2016 - 09:57 AM

Almost all of my files are encrypted with the new variant of stampado [<random character>.locked], I also doesn't get any message or ransom note from the attacker so I can't even use the older stampado decryptor because I don't have any email address or my ID. I hope there is any update about how to decrypt the file and share the info here. Thank you very much!



#4 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,079 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:07:55 AM

Posted 10 September 2016 - 09:09 AM

Fabian Wosar updated his decrypter to support the latest version. You can find it here.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#5 FraserCorrance

FraserCorrance

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle, WA
  • Local time:10:55 PM

Posted 01 March 2017 - 02:33 PM

Hello all!

 

A client of mine brought in a computer that has been infected with what appears to be the Philadelphia ransomware or something very close to it. Since Philadelphia is a variant of Stampado quietman7 suggested I try asking these questions in this thread. 

 

The computer is no longer functioning due to blown capacitors and a failing hard drive. I was able to image the drive and recover data from the image. In the recovered data I found a file on the client's desktop called LOCKED.TXT. I submitted both the ransom note and one of the encrypted files to the ID Ransomware site and it came up with 3 possibilities: Stampado, Philadelphia, or Fantom. The client mentioned seeing a message saying the that this was the Philadelphia ransomware when they checked the project in. I downloaded the Philadelphia decryption tool from Emsisoft and submitted 3 matched pairs of files, on encrypted and one that is not, but none of these attempts were able to produce a decryption key. 

 

 
My questions for you, the community, are as follows:
 
1)  Are the encrypted files the same size as the original file was before encryption? Since the file names are randomized during encryption I was matching the files up by file size and folder location.
2)  Is it possible that this is some new sort of variant that the decryper cannot work with?
3)  Is the source computer required in order decrypt the files or can this be done from a 3rd party computer? I am assuming this can be done using a different computer.

4)  Should I have my client help me find more matching files sets and just keep trying to produce a key to decrypt the data? 

 

 

Any help or advice you have would be greatly appreciated.
 
Thank You.
 
Fraser 
 
ps.  Here is the text from the ransom note:
 
All your files have been encrypted!
 
All your documents (databases, texts, images, videos, musics etc.) were encrypted. The encryption was done using a secret key 
that is now on our servers.
 
To decrypt your files you will need to buy the secret key from us. We are the only on the world who can provide this for you.
 
What can I do?
 
Pay the ransom, in bitcoins, in the amount and wallet below. You can use LocalBitcoins.com to buy bitcoins. Email Us at  isellbtc@yandex.com
 
Bitcoin Amount: 0.5
Wallet for Sending Bitcoins: 1FfrH3KokFDpg5TABBW8sySe6nM4mFTNvT
 
 


#6 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,079 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:07:55 AM

Posted 02 March 2017 - 04:28 PM

My questions for you, the community, are as follows:

 
1)  Are the encrypted files the same size as the original file was before encryption? Since the file names are randomized during encryption I was matching the files up by file size and folder location.
2)  Is it possible that this is some new sort of variant that the decryper cannot work with?
3)  Is the source computer required in order decrypt the files or can this be done from a 3rd party computer? I am assuming this can be done using a different computer.

4)  Should I have my client help me find more matching files sets and just keep trying to produce a key to decrypt the data? 

 

1) No, they are slightly different sizes usually.

From the decrypter information:

To use the decrypter you will require a file pair containing both an encrypted file and its non-encrypted original version. Due to the file name encryption this can be a bit tricky. The best way is to simply compare file sizes. Encrypted files will have the size of the original file rounded up to the next 16 byte boundary. So if a the original file was 1020 bytes large, the encrypted file will be 1024. Select both the encrypted and non-encrypted file and drag and drop both of them onto the decrypter file in your download directory.

2) We would need the malware then.

3) No

4) Yes, that would be good.

 

If you can scan the system image, you may find the malware file still on there.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users