U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Data Keeper Ransomware – An unusual and complex Ransom-as-a-Service platform

The Data Keeper Ransomware that infected systems in the wild was generated by a new Ransomware-as-a-Service (RaaS) service that appeared in the underground recently. A few days ago a new Ransomware-as-a-Service (RaaS) service appeared in the underground, now samples of the malware, dubbed Data Keeper Ransomware, generated with the platforms are have already been spotted in […]

Data Keeper RaaS

The Data Keeper Ransomware that infected systems in the wild was generated by a new Ransomware-as-a-Service (RaaS) service that appeared in the underground recently.

A few days ago a new Ransomware-as-a-Service (RaaS) service appeared in the underground, now samples of the malware, dubbed Data Keeper Ransomware, generated with the platforms are have already been spotted in the wild.

The Data Keeper ransomware was discovered by researchers at Bleeping Computer last week.

https://twitter.com/campuscodi/status/965970297466834945

“The service launched on February 12 but didn’t actually come online until February 20, and by February 22, security researchers were already reporting seeing the first victims complaining of getting infected.” reads the blog post published by Bleeping Computer.

Anyone can sign up for the RaaS service and activate his account for free and create their samples of the ransomware.

The ransomware encrypted the files with a dual AES and RSA-4096 algorithm, it also attempts to encrypt all networks shares. Once the files are encrypted, the malicious code will place a ransom note (“!!! ##### === ReadMe === ##### !!!.htm“) in each folder it will encrypt files.

The operators behind the Data Keeper RaaS request their users to generate their samples and distribute them, in turn, they offer a share of the ransom fee when victims pay the ransom. It is not clear the percentage of the ransom that is offered to the user.

Affiliates just need to provide the address of their Bitcoin wallet, generate the encryptor binary, and download the malware along with a sample decrypter.

According to the researchers at the MalwareHunterTeam who analyzed the ransomware, even if it is written in .NET language, its quality is high.

 

The Data Keeper ransomware is complex, it is one of the few ransomware strains that use the PsExec tool. The Data Keeper ransomware uses the PsExec to execute the malicious code on other machines on the victims’ networks.

An interesting characteristic implemented by the Data Keeper ransomware is that it doesn’t append an extension to the names of the encrypted files.

With this trick victims won’t be able to know if the files are encrypted unless they try to open one.

“This is actually quite clever, as it introduces a sense of uncertainty for each victim, with users not knowing the amount of damage the ransomware has done to their PCs.” continues Bleeping Computer.

Another singularity of this RaaS platform is the possibility for affiliates to choose what file types to encrypt, affiliated can also set amount of the ransom.

The platform uses a payment service hosted on the Tor network, it is a common option for many malware.

According to the researchers, many crooks have already signed up for the Data Keeper RaaS and are distributing weaponized binaries in the wild.

The experts at MalwareHunter told Bleeping Computer that one of the groups that is distributing the ransomware is hosting the malicious binaries on the server of a home automation system.

Further technical details and the Indicators of Compromise (IOCs) are included in the post published by Bleeping Computer

Recently other RaaS services were spotted by the experts in the underground, GandCrab and Saturn were discovered in the last weeks.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Data Keeper ransomware, RaaS)

[adrotate banner=”5″]

[adrotate banner=”13″]