Ransomware-as-a-service (RaaS) platforms are helping criminals to launch quick and easy attack campaigns in exchange for a cut of the profits. Researchers have spotted new operations emerge already during the first two months of 2018 alone.
A few days ago a new Ransomware-as-a-Service (RaaS) service appeared in the underground, now samples of the malware, dubbed Data Keeper Ransomware, generated with the platforms are have already been spotted. Brought online just two days after Saturn was discovered, Data Keeper is the third RaaS platform we’ve seen launched in four weeks. Though it has similarities to the ones discovered earlier this year this one is more sophisticated. It is one of the few ransomware strains that use the PsExec tool. The Data Keeper ransomware uses the PsExec, a command line based remote administration tool to execute the malicious code on other machines on the victims’ networks.
The ransomware generated via the Data Keeper RaaS is coded in .NET and is very well coded. Currently there are no free decryption tools available for decrypting this ransomware. The service launched on February 12 but didn’t actually come online until February 20, and two days later, security researchers were already reporting seeing the first victims complaining of getting infected. Data keeper lets anyone sign for the service and create samples of ransomware without having to pay a fee to activate an account just like Saturn ransomware. Data keeper authors are encouraging users to distribute the ransomware samples to the victims by promising them to have a share of the ransom fee incase if the victim pays to decrypt their files. The authors behind Data Keeper have not disclosed the amount of the cut they take from each successful ransom.
Data Keeper ransomware doesn’t use a special file extension. Victims infected with versions of this ransomware will have their files encrypted with a dual AES and RSA-4096 algorithm. Data Keeper also tries to encrypt all networks shares it can access. It doesn’t add a special extension at the end of the file, that’s how the victims would be uncertain to tell which files are encrypted unless they try to open them manually. According to MalwareHunterTeam, when encrypting a file, it first reads the lastWriteTime value of it, and after encryption it sets back that value, so you can’t even find encrypted files in this way
The RaaS platform allows the attacker to select which files the ransomware will encrypt i.e different versions of Data Keeper will encrypt different files for each victim. The only visible sign that victims have been infected is the “!!! ##### === ReadMe === ##### !!!.htm” file that Data Keeper places in each folder it encrypts files.
According to MallwareHunterTeam, the first layer is an EXE that will drop another EXE to %LocalAppData% with a random name and a .bin extension. It then executes it with ProcessPriorityClass.BelowNormal and ProcessWindowStyle.Hidden parameters. That second EXE will load a DLL, which will load another DLL containing the actual ransomware that encrypts all the files. All layers have custom strings and resources protection,” he says. “And then each layer is protected with ConfuserEx.
The ransom fee varies from victim to victim. The platform uses a payment service hosted on the Tor network. The Infected users are told to access a Dark Web URL for more information on the steps necessary to pay the ransom fee and receive a decrypter that will unlock their files. It has been brought to notice that one of the distributors of variant of data keeper is hosting malicious binaries on the server of home automation system. Criminals are fine-tuning their attacks day by day and are not just performing a simple test run.
Below is the ransom note:
How to protect from the Data Keeper Ransomware:
- Use multi-layered antivirus in your system
- Make sure that all systems and software are up-to-date with relevant patches
- Employ content scanning and filtering on your mail servers. Inbound e-mails should be scanned for known threats and should block any attachment types that could pose a threat.
- Do not click on links or download attachments in emails received from unknown sources
- Beware of suspicious emails and pop-ups
- Backup your data