RaaS Keeps Victims Guessing by Not Using Special File Extension

Posted on February 26, 2018
Riviera Beach Pays Nearly $600K to Recover Data after Ransomware Attack
A relatively new ransomware-as-a-service (RaaS) platform keeps victims guessing by not using a special file extension with the files it encrypts. On 22 February, security researchers began seeing reports from users claiming that Data Keeper ransomware had affected their computers. Victims found out about the infections by coming across the "!!! ##### === ReadMe === ##### !!!.htm" note dropped by Data Keeper in each of the folders it encrypts. Alternatively, they might have tried to open a file only to find they couldn't because the threat had encrypted it. Data Keeper doesn't add a special file extension to the files it encrypts, so victims could not have visually determined that something had individually scrambled their files. Like all RaaS platforms, Data Keeper lets interested parties sign up and create weaponized ransomware. This particular threat leverages a dual AES and RSA-4096 algorithm. It also allows is attackers to customize the ransom fee and targeted file types. Even so, it wasn't immediately apparent what percentage of victims' ransom payment an affiliate could expect to keep for themselves.
Data-Keeper-ransom-note.png
Data Keeper's ransom note. (Source: BleepingComputer) Data Keeper is different, however, in that it uses the PsExec remote administration tool to infect other network machines. Security researcher MalwareHunter told Bleeping Computer that the ransomware also contains an unusual amount of protection compared to other .NET-based threats.
The in the wild [Data Keeper ransomware] sample we saw on Thursday consists of 4 layers. The first layer is an EXE that will drop another EXE to %LocalAppData% with a random name and a .bin extension. It then executes it with ProcessPriorityClass.BelowNormal and ProcessWindowStyle.Hidden parameters. That second EXE will load a DLL, which will load another DLL containing the actual ransomware that encrypts all the files. All layers have custom strings and resources protection. And then each layer is protected with ConfuserEx.
Bleeping Computer knows of multiple threat actors who are currently pushing out the ransomware. One of those nefarious entities is hosting Data Keeper on the server of a home automation system. All the while, malware developers are continuously updating its binaries to make the threat even more sophisticated. The RaaS has been around since its launch date of 12 February, though it didn't go live until 20 February. It's the third platform to emerge in 2018 so far after Saturn and GandCrab. Acknowledging the persistent threat posed by ransomware-as-a-service platforms like Data Keeper and the amount of effort computer criminals continue to invest into them, users and organizations alike should familiarize themselves with some of the ways they can prevent a ransomware infection. Here are a few of the most well-known and effective tips.
Join over 20,000 IT security pros who get our top stories delivered to their inbox every week!