According to a latest malware research just two days after malware developers released the Data Keeper Ransomware RaaS (Ransomware-as-a-Service) on the Dark Web, then it is spotted that the ransomware strain released on this portal have already been detected in the wild that rapidly spreading to a huge number of system users worldwide. According to a latest research revealed that the Data Keeper Ransomware is a the third most deadly strain that offered as a RaaS this ongoing year after Saturn and GrandCrab.
Yet Another RaaS That Opens Gates For Every New Aspiring Cyber Criminals
This service is released on February 12 but it did not really come online until February 20 and by February 22, security analysts started reporting about the culprit by seeing the first victims register complain about the ransomware attack. Similar to Saturn RaaS DataKeeper also anyone sign up for the service and let them generate weponized binaries right there without paying any fees to activate their account. This Data Keeper Ransomware kinds of threats encouraging the system users to generate ransomware samples and deliver to them the victims with a profit of receiving the share of the ransom fee in case of victims payment to decrypt their files. But when the Saturn variant made up their commission known upfront (around 30% of the ransom fees) but the DataKeeper does not disclose the amount of ransom fees of Bitcoin they take from their affiliates.
Security Researchers Said DataKeeper A Well Coded Ransomware
As the ransomware is generated through DataKeeper RaaS is coded in .NET and .NET ransomware is generally identified as a low grade system threat but this one is keep up in that order of the .NET malware noobs. It is observed that the DataKeeper uses 4 layers. These of the four layers work as
The very first layer is an EXE that will drop another EXE to %LocalAppData% using a random name and a “.bin” extension. Then It runs with ProcessPriorityClass.BelowNormal and ProcessWindowStyle.Hidden parameters.
The second EXE will load a DLL that will load another DLL holding the actual ransomware that encrypts all of the files. All layers have string protection and custom features, like “And every layer is protected with ConfuserEx”.
This is an uncommonly complex level of protection compared to. NET Ransomware is troves that floated online last year.
In addition, it is also one of the few ransomware solutions that uses PsExec, which is a command-line remote management tool. DataKeeper uses PsExec to run ransomware on other machines in infected users networks.
DataKeeper uses dual AES and RSA-4096 cipher algorithm to encrypt your files but it doesn’t add any special file extension to the compromised files. It try to make an environment that you can not assume that how much the ransomware make damage on system. The only visible sign of the ransom attack is the file called “!!! ##### === ReadMe === ##### !!!.htm” that keeps DataKeeper ransomware in each of the encrypted folders. Infected victims instructed to follow the Dark Web for more about the decryption information.
Malware developers updated their codes daily so you should be always stay alert and secure using various security measures to save your system from ransomware threats like Data Keeper Ransomware RaaS.