Stampado is the first Ransomware-as-a-Service created by The Rainmaker and "his team." The subsequent variant was Philadelphia. The Stampado RaaS was discovered by researchers in early July 2016, being sold on the dark web for $39. A significantly small sum compared to the other RaaS being sold on the dark web for thousands of dollars. The $39 would give attackers a license to use the software, allowing them to use their own custom communication method (email) for extortions. We found no tangible evidence of extortion amounts, but several researchers reported that 1 BTC was the amount of one extortion attempt, which, at the time of compilation, was around $660.
As for the ransomware itself, it was written using AutoIT and used AES-256 asymmetrical encryption to modify files. Some variants would encrypt files and then change the extension to <file name>.locked. Other variants didn't bother to change file extension names; they only encrypted them. Most variants, however, dropped two ransom notes - an executable that invokes a modal with decryption instructions and a traditional readme note titled "How to recover my files.txt." The executable provides a countdown that gives victims 96 hours to pay, or no decryption will be provided. It also performs "Russian Roulette," which deletes a random set of files every 6 hours of nonpayment.
Thankfully, there are three known decryptors for this ransomware since it was poorly written and implemented in AutoIT. Avast, Emsisoft, and Trend Micro are all known to have decryptors for Stampado.
