The email contains a link that downloads a .doc document. This, if opened, contacts a link that downloads a DLL that infects the PC with malware.
First spotted by cyber-security experts at Bleeping Computer, Data Keeper is provided as Ransomware-as- a-Service (RaaS) program on the Dark Web, and requires no fee
A new ransomware is circulating the Web. First discovered by cyber-security experts at Bleeping Computer, the malware is provided as a Ransomware-as- a-Service (RaaS) on the Dark Web. The service launched on February 12 but did not actually come online until February 20. Two days later, the first victims started to report infections. As the Italian CERT (Computer Emergency Response Team) points out, “anyone can sign up for the service on the Data Keeper portal, and immediately generate custom executable files of the ransomware, without having to pay a fee to activate an account. Furthermore, the service operators behind Data Keeper are encouraging users to spread their creations by promising them a reward in Bitcoins” for every victim that decides to pay the ransom. This kind of affiliation scheme is similar to other recent ransomwares, as Saturn.
Data Keeper generates the malware using codes into Microsoft .NET Framework. It consists of four layers
According to the Italian CERT, cyber-security experts at MalwareHunterTeam found that the malwares generated through Data Keeper are coded using Microsoft .NET Framework. The malicious software consists of four layers. The first layer is an executable file (“.exe”), which acts as a “dropper”, creating another executable in the LocalAppData folder. This file has a random name and a “.bin” extension, and is then executed with “ProcessPriorityClass.BelowNormal”. That second “.exe” will load a DLL (third layer), which in turn will load another DLL (fourth layer) containing the actual ransomware that will encrypt the files on the victim’s computer. All layers have custom strings and proprietary resources protection. Each layer is protected with ConfuserEx, an open-source protector for .NET applications.
The ransomware can encrypt various types of extensions: image, video and audio files, documents, backups, archives, and databases
Another specific feature of Data Keeper is the use of PsExec, a command-line- based remote administration tool, to execute the ransomware also on other devices on the victims’ machine network. Once launched, the malware uses a dual AES and RSA-4096 algorithm to encrypt the files locally. It also attempts to encrypt all networks shares it can get access to. The malicious code selects what file type to target according to its configuration. Data Keeper can encrypt various types of extensions: image, video and audio files, documents, backups, archives, and databases.
Unlike the majority of ransomwares, Data Keeper does not add a special extension to the encrypted files. Once the encryption stage is concluded, the malicious code will place a ransom note in each encrypted folder
After the cyber-attack, the victim is asked to pay a 500-1.500 dollars ransom in Bitcoins to obtain the decryption key. The ransom by Data Keeper note informs the victim that his/her files have been encrypted, providing instructions on how to regain access to them. The ransom fee to unlock the files varies from case to case, as the distributors are allowed to configure its amount. Generally, the request is between 500 and 1.500 dollars in Bitcoins. The Italian CERT, as always, discourages the victims to pay the ransom in order not to foster this kind of criminal activities. Currently, though, the most common antivirus software seem to show a fairly high capacity to identify Data Keeper strains.