Being infected with ransomware and having all of your files encrypted is a horrible feeling. I have been told that victims feel violated, depressed, scared, and angry, and to make matters worse, now they have to fork over a lot of money to some criminal to get their files back.

Typically, ransomware infections target specific file extensions for encryption. This means that unless a particular ransomware encrypts every file type on a drive, files that have already been encrypted will not be encrypted by subsequent ransomware infection.

Along comes, the Stampado dev, who in my opinion has now taken ransomware to a new low by specifically targeting files that have already been encrypted by a ransomware. While working on his Stampado decryptor, Fabian Wosar of Emsisoft found that a new version of Stampado has additional targeted extensions that correspond to ransomware encrypted files. That means that if someone is already dealing with a ransomware infection and becomes infected by Stampado, they will now have to pay twice to get the same files back.

Targeting Ransomware Encrypted Files
Targeting Ransomware Encrypted Files

In the source code snippet above we see that the Stampado dev is actively targeting over 50 different extensions that are known to be files encrypted by other ransomware. I see extensions from Kimcil, Cerber, TeslaCrypt, LeChiffre, Locky, Coverton, PadCrypt, and many others.

Though Stampado is easily decrypted using Fabian Wosar's Stampado Decryptor, this shows us that for the Stampado dev there is no honor among thieves.