A relatively new ransomware-as-a-service (RaaS) platform keeps victims guessing by not using a special file extension with the files it encrypts.

On 22 February, security researchers began seeing reports from users claiming that Data Keeper ransomware had affected their computers.

Victims found out about the infections by coming across the “!!! ##### === ReadMe === ##### !!!.htm” note dropped by Data Keeper in each of the folder it encrypts. Alternatively, they might have tried to open a file only to find they couldn’t because it the threat had encrypted it. Data Keeper doesn’t add a special file extension to the files it encrypts, so victims could not have visually determined that something had individually scrambled their files.

Like all RaaS platforms, Data Keeper lets interested parties sign up and create weaponized ransomware. This particular threat leverages a dual AES and RSA-4096 algorithm. It also allows is attackers to customize the ransom fee and targeted file types. Even so, it wasn’t immediately apparent what percentage of victims’ ransom payment an affiliate could expect to keep for themselves.

Data Keeper’s ransom note. (Source: BleepingComputer)

Data Keeper is different, however, in that it uses the PsExec remote administration tool to infect other network machines. Security researcher MalwareHunter told Bleeping Computer that the ransomware also contains an unusual amount of protection compared to other .NET-based threats.

The in the wild [Data Keeper ransomware] sample we saw on Thursday consists of 4 layers. The first layer is an EXE that will drop another EXE to %LocalAppData% with a random name and a .bin extension. It then executes it with ProcessPriorityClass.BelowNormal and ProcessWindowStyle.Hidden parameters. That second EXE will load a DLL, which will load another DLL containing the actual ransomware that encrypts all the files. All layers have custom strings and resources (Read more...)