Data Keeper Ransomware – An unusual and complex Ransom-as-a-Service platform

Pierluigi Paganini February 26, 2018

The Data Keeper Ransomware that infected systems in the wild was generated by a new Ransomware-as-a-Service (RaaS) service that appeared in the underground recently.

A few days ago a new Ransomware-as-a-Service (RaaS) service appeared in the underground, now samples of the malware, dubbed Data Keeper Ransomware, generated with the platforms are have already been spotted in the wild.

The Data Keeper ransomware was discovered by researchers at Bleeping Computer last week.

“The service launched on February 12 but didn’t actually come online until February 20, and by February 22, security researchers were already reporting seeing the first victims complaining of getting infected.” reads the blog post published by Bleeping Computer.

Anyone can sign up for the RaaS service and activate his account for free and create their samples of the ransomware.

The ransomware encrypted the files with a dual AES and RSA-4096 algorithm, it also attempts to encrypt all networks shares. Once the files are encrypted, the malicious code will place a ransom note (“!!! ##### === ReadMe === ##### !!!.htm“) in each folder it will encrypt files.

The operators behind the Data Keeper RaaS request their users to generate their samples and distribute them, in turn, they offer a share of the ransom fee when victims pay the ransom. It is not clear the percentage of the ransom that is offered to the user.

Affiliates just need to provide the address of their Bitcoin wallet, generate the encryptor binary, and download the malware along with a sample decrypter.

According to the researchers at the MalwareHunterTeam who analyzed the ransomware, even if it is written in .NET language, its quality is high.


The Data Keeper ransomware is complex, it is one of the few ransomware strains that use the PsExec tool. The Data Keeper ransomware uses the PsExec to execute the malicious code on other machines on the victims’ networks.

An interesting characteristic implemented by the Data Keeper ransomware is that it doesn’t append an extension to the names of the encrypted files.

With this trick victims won’t be able to know if the files are encrypted unless they try to open one.

“This is actually quite clever, as it introduces a sense of uncertainty for each victim, with users not knowing the amount of damage the ransomware has done to their PCs.” continues Bleeping Computer.

Another singularity of this RaaS platform is the possibility for affiliates to choose what file types to encrypt, affiliated can also set amount of the ransom.

The platform uses a payment service hosted on the Tor network, it is a common option for many malware.

According to the researchers, many crooks have already signed up for the Data Keeper RaaS and are distributing weaponized binaries in the wild.

The experts at MalwareHunter told Bleeping Computer that one of the groups that is distributing the ransomware is hosting the malicious binaries on the server of a home automation system.

Further technical details and the Indicators of Compromise (IOCs) are included in the post published by Bleeping Computer

Recently other RaaS services were spotted by the experts in the underground, GandCrab and Saturn were discovered in the last weeks.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Data Keeper ransomware, RaaS)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment