{
	"id": "a1e3c783-3ddb-4461-9131-38df6dbc0c23",
	"created_at": "2026-04-06T00:11:48.708269Z",
	"updated_at": "2026-04-10T03:20:45.490814Z",
	"deleted_at": null,
	"sha1_hash": "d6ec0cd9de6c5de610edb30bac3ddbd1f331bec7",
	"title": "Stampado Ransomware campaign decrypted before it Started",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1015946,
	"plain_text": "Stampado Ransomware campaign decrypted before it Started\r\nBy Lawrence Abrams\r\nPublished: 2016-07-22 · Archived: 2026-04-05 12:47:08 UTC\r\nSince Stampado was discovered being sold on the darkweb for the cheap price of $39 USD, no samples were available. That\r\nchanged today when I discovered two samples of Stampado on VirusTotal. It is currently unknown if these samples are from\r\na live distribution campaign or were submitted by the distributor/developer to test how well they are detected by security\r\nprograms. The best part is that it really doesn't matter as from these samples a decryptor has already been made by Fabian\r\nWosar.\r\nStampado Lock Screen\r\nWhat we do know, though, is that Stampado is fully functional and written in the AutoIT scripting language. When installed,\r\nit will encrypt a victim's files using AES encryption and then demand a ransom in order to get your files back. The two\r\nsamples I have discovered have the names kek.exe and WifiHack.exe. At this time the ransom amount is currently unknown\r\nand you need to email the specified email address in order to get payment instructions.\r\nHow to Decrypt files encrypted by Stampado\r\nFabian Wosar, of Emsisoft, was able to analyze the Stampado samples and create a decryptor for the infection. To use\r\nFabian's decryptor, simply download it from the following URL: https://decrypter.emsisoft.com/stampado. Once\r\ndownloaded, execute it and go into the options screen, where you will need to enter your ID and the email address found on\r\nthe lock screen.\r\nhttps://www.bleepingcomputer.com/news/security/stampado-ransomware-campaign-decrypted-before-it-started/\r\nPage 1 of 7\n\nDecryptor Options\r\nOnce you enter in the required information, you can go back to the Decryptor tab and begin decrypting your files.\r\nhttps://www.bleepingcomputer.com/news/security/stampado-ransomware-campaign-decrypted-before-it-started/\r\nPage 2 of 7\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/stampado-ransomware-campaign-decrypted-before-it-started/\r\nPage 3 of 7\n\nVisit Advertiser websiteGO TO PAGE\r\nDecrypting Files\r\nWhen the decryptor finished decrypting the files, you can close the program.\r\nPossible link between Stampado and Jigsaw?\r\nThere are some interesting correlations, though possibly weak, between the Jigsaw ransomware and Stampado. \r\nOne of the nastier \"features\" of Stampado is its Russian Roulette, which will randomly delete an encrypted file every 6\r\nhours. Each time this roulette countdown reaches 0, the amount of files are doubled.  This is the same incrementing file\r\ndeletion behavior is also exhibited by Jigsaw during its countdown. As file deletion in ransomware is very rare, it\r\nis interesting to see a similar behavior between the two ransomware infections.\r\nCoincidentally, Michael Gillespie found a variant of Jigsaw yesterday that included the email address\r\nstampado@narod.ru.  Coincidence or not?\r\nhttps://www.bleepingcomputer.com/news/security/stampado-ransomware-campaign-decrypted-before-it-started/\r\nPage 4 of 7\n\nJigsaw background containing a email with Stampado\r\nLast, but not least, Stampado is being sold on the same darkweb site as Jigsaw.  Granted, these connections are weak at best,\r\nyet I felt it was worth mentioning.\r\nHow Stampado encrypts a victim's Files\r\nWhen Stampado is installed it will copy itself to %AppData%\\scvhost.exe and encrypt specific file types found under the\r\nvictim's %UserProfile% folder using AES encryption. When it encrypts a file, it will append the .locked extension to it. This\r\nmeans that a file called test.jpg, will be named test.jpg.locked. The files currently targeted by Stampado are:\r\n.jpg, .jpeg, .gif, .bmp, .c, .doc, .docx, .ppt, .pptx, .xls, .xlsx, .mov, .mp3, .cpp, .au3, .pas, .php, .wav, .wma, .wmv,\r\nDuring the encryption process, Stampado will also create two files in the %AppData% folder that have 32 character\r\nhexadecimal names. One file will be used to store a list of the encrypted files and the other file will contain status\r\ninformation used by the ransomware.\r\nWhen the encryption is finished, Stampado will display a lock screen that contains a unique ID that is associated with the\r\nvictim and an email address that is needed to get payment information.  The current emails used by the ransomware are\r\nransom64@sigaint.com and paytodecrypt@sigaint.org. Victim's are told to email the associated email address for\r\npayment instructions and once payment is made, they will receive a key to enter into the lock screen to decrypt the files.\r\nhttps://www.bleepingcomputer.com/news/security/stampado-ransomware-campaign-decrypted-before-it-started/\r\nPage 5 of 7\n\nStampado Lock Screen\r\nOn the lock screen there will also be a timer called Next Russian Roulette file deletion and Time until total loss. When the\r\nRussian Roulette countdown reaches 0, a randomly selected encrypted file will be deleted. Each time the Russian Roulette\r\ncountdown reaches 0, the amount of encrypted files deleted will be doubled. When the Time until total loss timer\r\nreaches zero, all of the encrypted data on the computer will be deleted.\r\nAs already stated, there is no need to pay a ransom to Stampado as a decryptor has already been made.\r\nFiles associated with the Stampado Ransomware:\r\n%UserProfile%\\AppData\\Roaming\\[random]\r\n%UserProfile%\\AppData\\Roaming\\[random]\r\n%UserProfile%\\AppData\\Roaming\\scvhost.exe\r\nRegistry entries associated with the Stampado Ransomware:\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Windows Update %UserProfile%\\AppData\\Roaming\\scvhost.exe\r\nIOCs:\r\nSHA-256 Hash: 342933cb4cbb31a2c30ac1733afc318a6e5cd0226160a59197686d635ec71b20\r\nSHA-256 Hash: 78db508226ccacd363fc0f02b3ae326a2bdd0baed3ae51ddf59c3fc0fcf60669\r\nhttps://www.bleepingcomputer.com/news/security/stampado-ransomware-campaign-decrypted-before-it-started/\r\nPage 6 of 7\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/stampado-ransomware-campaign-decrypted-before-it-started/\r\nhttps://www.bleepingcomputer.com/news/security/stampado-ransomware-campaign-decrypted-before-it-started/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/stampado-ransomware-campaign-decrypted-before-it-started/"
	],
	"report_names": [
		"stampado-ransomware-campaign-decrypted-before-it-started"
	],
	"threat_actors": [],
	"ts_created_at": 1775434308,
	"ts_updated_at": 1775791245,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d6ec0cd9de6c5de610edb30bac3ddbd1f331bec7.pdf",
		"text": "https://archive.orkl.eu/d6ec0cd9de6c5de610edb30bac3ddbd1f331bec7.txt",
		"img": "https://archive.orkl.eu/d6ec0cd9de6c5de610edb30bac3ddbd1f331bec7.jpg"
	}
}