Remove Stampado Ransomware and Restore .locked Files - How to, Technology and PC Security Forum |

Remove Stampado Ransomware and Restore .locked Files


Stampado is the name of ransomware, which appeared on the Dark Web earlier this week. Offered as a Ransomware-as-a-Service (RaaS) for only 39$ and a full-time license, this piece of malware is fairly accessible to cybercriminals. Heavily advertised as being very cheap, buyers are expected to show up. The ransomware encrypts files while adding the .locked extension to them. Read the whole article to find out how you can stop the ransomware and possibly decrypt any encrypted data.

Threat Summary

Short DescriptionThe ransomware will encrypt all of your important files and display a well-written ransom note, giving out sufficient details about ransom payment.
SymptomsThe ransomware will encrypt files with .locked extension appended to every file.
Distribution MethodExploit Kits, Spam Emails, File Sharing Networks
Detection Tool See If Your System Has Been Affected by Stampado


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Stampado.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Stampado Ransomware – Distribution Ways

Stampado ransomware is being promoted on the Dark Web with the help of aggressive advertisement campaigns, according to Heimdal’s security blog. Also, at the time of writing, no samples with the malicious code have been found in the wild. The ransomware is sold for 39 US dollars for a lifetime license. By being so cheap on the market, the ransomware is bound to find buyers. With no malware samples to examine, researchers cannot yet tell if this crypto-virus can be decrypted.


In the future, Stampado can be distributed in different ways, depending on how cyber crooks decide to infect users. Exploit kits, spam emails with malicious attachments, targeted attacks, social media and file sharing networks are the broader set of the possible distribution tactics. Be extremely careful when you click on various online content, what privileges you set in documents and about browsing in suspicious web space.

Stampado Ransomware – Technical Overview

Stampado is the name given to a very recent ransomware. The origin of the name allegedly comes from Italian, meaning “to print” or “to press.” The ransomware even has a presentation video on the Dark Web eliciting its capabilities and strong suits. Clearly, it does not require administrator privileges, as most modern ransomware viruses. It will lock data with the very well-known .locked file extension

Stampado ransomware creates a copy of itself to this location:


Afterward, Stampado creates the following registry key:

→HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”Windows Update” = “%AppData%\scvhost.exe”

The above registry entry makes the ransomware persistent, because it will make it start automatically with each start of the Windows operating system.

When the encryption process is complete Stampado ransomware leaves a ransom note written in proper English and very few ransomware viruses can boast about the same. Here is how that ransom note looks like, by default:


The text from the ransom note is the following:

All your files is have Been encrypted.
The All your files is have Been encrypted!
The All your documents (databases, texts, the images, the videos, the musics etc) Were encrypted of The encryption WAS done The using the a secret key That is now! Just on Our servers.
to decrypt your files you will need to buy the secret key from us. Are the only for We the world on the who CAN Provide the this for you.
The Note That every 6 hours, a random file is permanently deleted The faster you are. the less See files is you will of Lose.
Also, in 96 hours, the key will of the BE permanently deleted and there will of the BE the no way of Recovering your files is.
for What CAN I of do?
Contact us by an email telling your ID (the below) and: wait for us to the instructions the send.
Contact us by an email
of As a proof, you CAN the send one’s encrypted file SO we will of the send IT back decrypted. IT as with a the Use That we CAN guarantee your decrypt the files is.
The Next Russian Rollette file deletion:
5 hours, 44 minutes and 59 seconds
Time The total loss The until:
3 days, 23 hours, 44 minutes and 59 seconds

From the ransom note, we can see that files which are going to be encrypted are associated with:

  • Databases
  • Texts
  • Images
  • Videos
  • Music

Those are the most important and very personal files of every user. The ransomware can use executable files, like .exe and .bat, but also .scr, .dll and .cmd files for the delivery of its payload and all other malicious activities. That makes the ransomware flexible and with all other characteristics combined can make it the preferable choice among cyber criminals.

According to Symantec, some of the files that Stampado ransomware searches to encrypt have the following extensions:

→.7z, .avi, .bmp, .doc, .docx, .flv, .gif, .html, .jpeg, .jpg, .mov, .mp3, .mp4, .pdf, .ppt, .pptx, .rar, .txt, .wav, .wma, .wmv, .xls, .xlsx, .xml, .zip

The Stampado ransomware provides 96 hours for victims to make the needed payment of the ransom. The default ransom price is put at 1 Bitcoin, which is a huge amount considering what criminals pay for it. The most intriguing feature of Stampado is that if 96 hours pass without payment, a Russian roulette is triggered – every 6 hours a random file will get deleted.

If you stumble upon this ransomware, do not pay the ransom. Nobody can make a guarantee that you will restore all of your data. Save your most important files somewhere safe (not on the computer) and wait for a possible way of recovery or decryption. Let’s hope some flaw in the ransomware is found sooner than later.

Stampado ransomware is not described whether it erases the Shadow Volume Copies from the Windows operating system. That is interesting, although it is most likely one of the basic features of the virus.

Remove Stampado Ransomware and Restore .locked Files

If your computer machine got infected with the Stampado ransomware, you should have some experience in malware removal. You should get rid of this ransomware as quickly as possible before it encrypts other files and spreads deeper in the current network. The recommended action here is for you to remove the ransomware completely by following the step-by-step instructions guide given down below.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share