Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Philapdelphia! New ransomware from developer of Stampado.


  • Please log in to reply
4 replies to this topic

#1 Arslan0708

Arslan0708

  • Members
  • 1 posts
  • OFFLINE
  •  

Posted 07 September 2016 - 03:26 PM

I managed to compromise one user's machine of underground commuity called "Alphabay" and intercepted their chat over jabber (Pidgin)...I know it's not legal but imo we have to use the same methods to conquer them. I never doxed his identification and not deanonymised him.

(23:54:34) The following message received from the_rainmaker@exploit.im was not encrypted: [Hello friend]
(23:54:35) The following message received from the_rainmaker@exploit.im was not encrypted: [You here ?]
(08.09.2016 0:40:26) Attempting to start a private conversation...
(0:40:26) SkrillGuide2015: Yes! Hey
[Image] (0:40:28) Unverified conversation with the_rainmaker@exploit.im/The_Rainmaker started.  Your client is not logging this conversation.
(0:40:32) SkrillGuide2015: How are you doin'?
(0:41:43) the_rainmaker@exploit.im: Good friend
(0:42:09) the_rainmaker@exploit.im: I start sell Philadelphia today friend
(0:42:27) the_rainmaker@exploit.im: Look if you have interest 
(0:42:28) the_rainmaker@exploit.im: Description about Product: 
 
Conquer your Independence with Philadelphia! Get an Advanced and Customisable Ransomware at a Lifetime License!
 
Philadelphia innovates the Ransomware Market by presenting several features that makes it possible to manage a very advanced Ransomware attack with a cheap maintenance price (it can even be zero)! It's also autonomous, with Autodetected Bitcoin Payments! Just spread and wait for the money to come ;-)
 
By buying Philadelphia, you'll receive an all-in-one software that will allow you to make unlimited builds.
 
Everything is customisable:
 
- You can set the folders where the Ransomware will look for files as well as the depth/recursion level
 
- You can set the extensions, you can enable, disable and define intervals for the deadline and the russian roulette (as well as editing how many files are deleted on every russian roulette interval and whether the files or the crypt key gets deleted once the deadline ends
 
- You can edit file icon and Mutex
 
- You can edit the UAC (user access control) in four available options: (1) do not ask for admin privilleges; (2) ask and insist until it is given; (3) ask but run anyway even if it is not given; (4) ask and give up if it is not given
 
- You can edit all the interface texts as well as add multiple languages to the same file (it will detect the machine language and display the texts you edited for that locale or a default/fallback one)
 
- You can enable or disable USB infect, network spread and Unkillable Process, as well as set the process name
 
The Philadelphia Headquarter is a software that works on your machine and allows you to generate unlimited builds, see the victims on a map and on a list (with country flags and all the data you need) and also a "Give Mercy" button if you're too good 0:)
 
But the coolest Philadelphia feature (and what makes its maintenance so cheap) is that, instead of huge servers on our controls where you must pay high amounts monthly, we present you the "Bridges". Bridges are the way victims and attacker enters in touch in a distributed network. It's simply a PHP script that uses itself as database (no MySQL or whatever needed, just PHP). Bridges store the clients keys, verifies payments and provide the victims informations to the headquarters safely. And they can be hosted on nearly any server: even hacked servers, shared hosting (free hosting works but it is not recommended as they can delete your account if it's not a fully functional website), dedicated or VPS (recommended for bigger attacks, although the requests are small and are only done a few times). As the bitcoin payment verification is done on the server side, by the bridge, there is no way to spoof it on the victim machine. Also, the distributed bridges network will grant a better anonimity.
 
Everything very well documented on a plain-english help file!
 
16:29
 
(0:42:41) SkrillGuide2015: ohh :)
(0:44:49) the_rainmaker@exploit.im: Have interest ? :)
(0:44:54) SkrillGuide2015: WOW!!
(0:44:57) SkrillGuide2015: yeah!
(0:45:02) SkrillGuide2015: whats the price maan??? :)
(0:45:08) the_rainmaker@exploit.im: $400 friend
(0:45:18) the_rainmaker@exploit.im: But how I know you
(0:45:21) the_rainmaker@exploit.im: I can give discount 
(0:45:26) the_rainmaker@exploit.im: $350 :(
(0:45:29) the_rainmaker@exploit.im: * :)
(0:45:32) the_rainmaker@exploit.im: You help me a lot 
(0:45:35) SkrillGuide2015: Thats great! 
(0:45:52) SkrillGuide2015: no problems mate...I like help others by nature :)
(0:46:13) the_rainmaker@exploit.im: Great guy :)
(0:46:44) SkrillGuide2015: I will talk with my friend now...he must send me coins...or at max I will buy it on next Monday.. Lets' see how this best works.. :)
(0:46:52) SkrillGuide2015: I have some questions..can i ask?
(0:46:57) the_rainmaker@exploit.im: Yes
(0:47:12) SkrillGuide2015: Is encrrpyting algorithm is different than in Stampado?
(0:47:19) SkrillGuide2015: I mean is it faster?
(0:47:44) the_rainmaker@exploit.im: Little more faster
(0:47:51) the_rainmaker@exploit.im: But all ransomwares work in same way
(0:48:22) SkrillGuide2015: Are you considering to make a low-level ransomware?
(0:48:39) SkrillGuide2015: I mean which will encrypt whole HDD not files
(0:48:57) SkrillGuide2015: Anyway very interested in this man :)
(0:49:25) SkrillGuide2015: Let's see what an amazing article WSJ will post about..I know you paid them for marketing LOL :D
(0:50:07) the_rainmaker@exploit.im: Ransomware cant encrypt all HD because can corrupt system
(0:51:48) the_rainmaker@exploit.im: This only rewrite MBR
(0:51:50) the_rainmaker@exploit.im: No big deal
(0:51:55) the_rainmaker@exploit.im: and is no automatic payment
(0:52:39) SkrillGuide2015: ok, but I would be really happy to see how your Philadelphia works..with its nice-looking panel :)
(0:52:51) the_rainmaker@exploit.im: yes friend :)
(0:52:59) the_rainmaker@exploit.im: I start spread today
(0:53:04) the_rainmaker@exploit.im: I want infect 20k today
(0:53:06) the_rainmaker@exploit.im: Until now
(0:53:09) the_rainmaker@exploit.im: 2,7k 
(0:53:11) the_rainmaker@exploit.im: infected :)
(0:53:14) SkrillGuide2015: wow great
(0:53:37) SkrillGuide2015: As you are programmer and maybe you know....where can I rent exploit kits such as Angler and Neutrino?
(0:53:46) SkrillGuide2015: do you know any marketplaces or links?
(0:53:49) the_rainmaker@exploit.im: Yes
(0:53:51) the_rainmaker@exploit.im: I use neutrino
(0:53:55) SkrillGuide2015: cool
(0:53:56) the_rainmaker@exploit.im: Is good
(0:54:00) the_rainmaker@exploit.im: Me and one friend use
(0:54:03) the_rainmaker@exploit.im: But is expansive...
(0:54:30) SkrillGuide2015: I know what is price of it...and please tell me I want to talk with its developer, please give me link if possible
(0:55:18) the_rainmaker@exploit.im: I send contact for neutrino
(0:55:20) the_rainmaker@exploit.im: is 
(0:55:23) the_rainmaker@exploit.im: 4k month for rent
(0:56:36) SkrillGuide2015: I know its expensive...I have guys who are ready to pay such....please if you can give me link to that it would be great...I would spread this and stampado along the way together
(0:56:56) the_rainmaker@exploit.im: Talk with this guy: s@userjab.com
(0:57:03) SkrillGuide2015: currently I am using RAT and buying bots but these bots are coming from poor asian countries
(0:57:03) the_rainmaker@exploit.im: But
(0:57:16) the_rainmaker@exploit.im: Only add if you go rent, if you add only for make questions
(0:57:20) the_rainmaker@exploit.im: Him block you
(0:57:26) the_rainmaker@exploit.im: lol
(0:57:29) SkrillGuide2015: lol
(0:57:30) SkrillGuide2015: ok
(0:57:36) SkrillGuide2015: thanks mate...appreciate it
(0:57:47) SkrillGuide2015: where he promotes his product?
(0:57:55) SkrillGuide2015: on exploit.in or somewhere else?
(0:58:00) the_rainmaker@exploit.im: exploit.i
(0:58:02) the_rainmaker@exploit.im: yes
(0:58:10) SkrillGuide2015: ok mate
(0:58:11) SkrillGuide2015: thanks
(0:58:22) the_rainmaker@exploit.im: No problem
(0:58:31) the_rainmaker@exploit.im: I wait you for buy Philadelphia :)
(0:58:39) SkrillGuide2015: ;)
P.S
I checked myself the "store" of user @The_Ranimaker on Alphabay and seems like he is selling his ransomware only privately.

During my research I found that most of users of Stampado used to spread it thru email spams but mostly thru freelancing websites such as Freelancer.com, Upwork.com, peopleperhour.com, guru.com and etc. showing them as a legitimiate hiring managers they were forcing freelancer to execute their payload "just to see if it works on their machine" - they say. So, please everybody use only updated antiviruses/antimalwares...when you see some suspicious file check it on virustotal.com before executing...cyber-crooks can bypass antiviruses too, by crpyting and obfuscating their malicious codes so please be on the watch...I just don't want to you "all the members of this community" become victims of ransomware cuz it really hurts when you lose so many valuable files...Also, reading this conversation we can see that they are using strong exploit kits like Angler and Neutriono, so do not visit the websites you don't actually need to visit or those that you don't trust...and update all your softwares to patch existing vulnerabilities.
Stay safe.


BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,660 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:54 AM

Posted 08 September 2016 - 01:34 PM

Thanks for the info. Writing an article on this now.



#3 brunoid

brunoid

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 09 September 2016 - 09:21 AM

this is also good info about Stampado ransomware and decrypter  http://www.raritysoft.com/reviews/ransomware-decrypters


Edited by brunoid, 09 September 2016 - 09:21 AM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,905 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:54 AM

Posted 09 September 2016 - 03:24 PM

BC News article has been posted by Grinler: The Philadelphia Ransomware offers a Mercy Button for Compassionate Criminals

If victims need assistance, they should ask for help in this support topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:06:54 AM

Posted 10 September 2016 - 09:09 AM

Fabian Wosar made a decrypter for this ransomware. It can be found here.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users