Cylance vs. DataKeeper


DataKeeper is the latest contender in a rising number of malware attacks driven by ransomware-as-a-service (RaaS). DataKeeper’s ransomware service launched on February 20 of this year. Two days later, the malware claimed its first victims.

What does this latest iteration of RaaS-inspired malware mean for computing? The Cylance Threat Research team dug into this emerging threat for answers.

VIDEO: Cylance vs. DataKeeper

Data Keeper Service Examined

How does one test ransomware which is customized by each ‘customer’ upon creation? Our answer – create a new version of the malware and test it.

This first screen capture (below) shows the main configuration page for DataKeeper. It includes a simple four-step instruction list for customizing the malware and obtaining a decryption key for this unique instance:

This second screenshot highlights some of the customization options available to subscribers of the DataKeeper service. Here, the threat actor can select a range of file extensions to be targeted for encryption. An additional file can be included in the attack, if desired. This file will execute along with the malware and could be used to divert attention or perform additional operations.

Another screen provides options for setting the ransom. Once again, a four-step instruction guide is provided to the user. All payments must be made in BitCoin (BTC). The page features a counter to track the total number of victims versus the number of paying victims hit by the ransomware. Ransoms are presumably cashed out by toggling the Give me my money switch (NOTE: Cylance, of course, did not ransom anyone to test this feature).

When DataKeeper encrypts a system it leaves the following ransom message file in each affected folder. The message contains instructions for the victim to follow if they want to regain access to their data. Most importantly, it (Read more...)

*** This is a Security Bloggers Network syndicated blog from Cylance Blog authored by Cylance Threat Guidance Team. Read the original post at: