Dirt cheap ransomware selling for as little as $39 on the dark web has security experts concerned the low price coupled with its potency could trigger a wave of new infections.
The ransomware is called Stampado and besides its hallmark low price, the ransomware is also unique because it threatens to delete files every six hours post-infection.
According to researchers at Heimdal Security Software, the ransomware is similar in technical functions and techniques to CryptoLocker. CryptoLocker is a sophisticated Trojan that uses advanced techniques such as File System Tunneling to avoid detection.
Computers infected by the Stampado are given 96 hours to pay 1 bitcoin ($660) to decrypt files, according to Heimdal Security. Post-infection, attackers threaten to delete just one encrypted file from infected systems every six hours until the ransomware is paid.
The sales pitch for the ransomware on dark web is straightforward. This ransomware is priced at $39 and comes with a lifetime license. Comparable ransomware sold on the dark web can range in price from a few hundred dollars to a few thousand dollars. CrytpoLocker sold for $3,000 in 2015, according to Heimdal Security. Ransomware-as-a-service, where buyers rent but do not own the ransomware code, can cost as little as $50 for a set period time of use.
“Given the price and how it mimics other ransomware such as Jigsaw and CryptoLocker, I suspect the people behind this ransomware are technically unsophisticated script kiddies,” said computer forensics expert Lawrence Abrams who maintains the BleepingComputer website.
Researchers say they have not spotted Stampado in live campaigns yet.
The authors behind the dark web sale of Stampado, it appears, have stolen from the marketing playbook of late night infomercials. The pitch reads:
“You always wanted a Ransomware but never wanted two pay Hundreds of dollars for it? This list is for you! ?? Stampado is a cheap and easy-to-manage ransomware, developed by me and my team. It’s meant two be really easy-to-use. You’ll not need a host. All you will need is an email account.”
Heimdal Security told Threatpost that the technical analysis of Stampado is forthcoming, so many question marks still remain as to its capabilities.
“The differences between Stampado and other ransomware currently being spread reside more in the social engineering techniques used and in the pricing,” Heimdal Security said.
The company reports the Stampado ransomware typically uses extensions EXE, BAT, DLL, SCR, and CMD to deliver the ransomware payload. The ransomware encrypts files and changes the file extension to .locked.
“Victims will receive instructions on how to get their data back if they email the attackers at ‘teste [at] email [dot] com’. To show that they will retrieve their data, Stampado makers promise to decrypt one file as a guarantee and then provide payment instructions for the decryption key,” Heimdal Security told Threatpost.
Stampado joins a recent wave of simple, if not hastily constructed, ransomware. For months, the makers of Jigsaw ransomware have continued their assault against victims despite the fact its encryption scheme has been defeated by security researchers. Another ransomware Ranscam, recently discovered by Cisco’s Talos Security Intelligence and Research Group, just deletes files instead of encrypting them.