The Data Keeper Ransomware that infected systems in the wild was generated by a new Ransomware-as-a-Service (RaaS) service that appeared in the underground recently.

A few days ago a new Ransomware-as-a-Service (RaaS) service appeared in the underground, now samples of the malware, dubbed Data Keeper Ransomware, generated with the platforms are have already been spotted in the wild.

The Data Keeper ransomware was discovered by researchers at Bleeping Computer last week.

New Dark Web RaaS. Currently offline, but to keep an eye on. http://3whyfziey2vr4lyq[.]onion pic.twitter.com/KDmyGjN0Fw — Catalin Cimpanu (@campuscodi) February 20, 2018

“The service launched on February 12 but didn’t actually come online until February 20, and by February 22, security researchers were already reporting seeing the first victims complaining of getting infected.” reads the blog post published by Bleeping Computer.

Anyone can sign up for the RaaS service and activate his account for free and create their samples of the ransomware.

The ransomware encrypted the files with a dual AES and RSA-4096 algorithm, it also attempts to encrypt all networks shares. Once the files are encrypted, the malicious code will place a ransom note (“!!! ##### === ReadMe === ##### !!!.htm“) in each folder it will encrypt files.

The operators behind the Data Keeper RaaS request their users to generate their samples and distribute them, in turn, they offer a share of the ransom fee when victims pay the ransom. It is not clear the percentage of the ransom that is offered to the user.

Affiliates just need to provide the address of their Bitcoin wallet, generate the encryptor binary, and download the malware along with a sample decrypter.

According to the researchers at the MalwareHunterTeam who analyzed the ransomware, even if it is written in .NET language, its quality is high.

So, looked at DataKeeper ransomware…

Important / notable things:

– it's secure

– it's one of the few RWs that uses PsExec & it should be the 1st .NET RaaS that uses PsExec at all

– not seen any .NET ransomware before which was protected like this.@BleepinComputer @demonslay335 — MalwareHunterTeam (@malwrhunterteam) February 22, 2018

The ITW sample we seen yesterday consists of 4 layers:

First layer is an exe, which will drop another exe to %LocalAppData% with random name & .bin extension, then executes it (WindowStyle.Hidden, Priority.BelowNormal).

That 2nd exe will load a dll, which will load another dll. — MalwareHunterTeam (@malwrhunterteam) February 23, 2018

All layers have a custom strings and resources protection. And then each layer are protected with ConfuserEx.

Sounds like someone is paranoid…

?

? — MalwareHunterTeam (@malwrhunterteam) February 23, 2018

The Data Keeper ransomware is complex, it is one of the few ransomware strains that use the PsExec tool. The Data Keeper ransomware uses the PsExec to execute the malicious code on other machines on the victims’ networks.

An interesting characteristic implemented by the Data Keeper ransomware is that it doesn’t append an extension to the names of the encrypted files.

To extend what mentioned on the screenshot, it not only not adds an extension, but when encrypting a file, it first reads the lastWriteTime value of it, and after encryption it sets back that value, so you can't even find encrypted files this way… pic.twitter.com/8dadtwXUvW — MalwareHunterTeam (@malwrhunterteam) February 24, 2018

With this trick victims won’t be able to know if the files are encrypted unless they try to open one.

“This is actually quite clever, as it introduces a sense of uncertainty for each victim, with users not knowing the amount of damage the ransomware has done to their PCs.” continues Bleeping Computer.

Another singularity of this RaaS platform is the possibility for affiliates to choose what file types to encrypt, affiliated can also set amount of the ransom.

The platform uses a payment service hosted on the Tor network, it is a common option for many malware.

According to the researchers, many crooks have already signed up for the Data Keeper RaaS and are distributing weaponized binaries in the wild.

The experts at MalwareHunter told Bleeping Computer that one of the groups that is distributing the ransomware is hosting the malicious binaries on the server of a home automation system.

Further technical details and the Indicators of Compromise (IOCs) are included in the post published by Bleeping Computer

Recently other RaaS services were spotted by the experts in the underground, GandCrab and Saturn were discovered in the last weeks.

Pierluigi Paganini

(Security Affairs – Data Keeper ransomware, RaaS)

Share this...

Linkedin Reddit Pinterest

Share On