Another RaaS opens its gates for everybody

This day begins with another cybersecurity problem. Cybercriminals just released another Ransomware-as-a-Service (RaaS) named Data Keeper. The new strain is available on various Dark Web markets, and it will cause some severe damage if no cybersecurity solution is developed fast.

Data Keeper can be used by anyone because the access to its service is free, anyone can generate weaponized binaries right away, without having to pay a fee to activate an account meaning the infections numbers will be high and that is why the presence of antivirus is a must in every device.

Data Keeper cybercriminals are encouraging users to generate ransomware samples and distribute them to victims, with the promise of receiving a share of the ransom fee.
Our team was looking for a cybersecurity solution regarding, Data Keeper ransomware, after analyzing it our team concluded that it is well-coded in .NET.

Data Keeper ransomware comes in the form of an EXE that will drop another EXE to %LocalAppData% with a random name and a .bin extension. Then it runs is with ProcessPriorityClass.BelowNormal and ProcessWindowStyle.Hidden parameters.
Second EXE will also load a DLL containing the actual ransomware that encrypts all the files. This ransomware has his protection from ConfuserEx; this protection is making life hard for our researchers during the process of developing a cybersecurity solution.

It is an unusual, sophisticated level of protection when compared to other versions of .NET ransomware. Data Keeper doesn’t use a special extension at the end of encrypted files, meaning victims won’t be able to tell what files are encrypted unless they try to open one which is another smart method used by the cybercriminals to make things hard for everybody. As you see even ransomware have their protection, this is why leaving your device unprotected by a strong antivirus is one of the biggest mistakes you could make.

Data Keeper lets every user select what file types to target and what ransom fee is demand back for decryption.
The only sign left by this cybersecurity problem is a file named !!! ##### === ReadMe === ##### !!!.htm in every folder it encrypts files.
If Data Keeper infects a company’s computers, they will have to pay to unlock each computer at a time. This means a simple infection can reach staggering costs for some companies that did not have backups. If you are a company or an individual user, don’t let your devices unprotected by a cybersecurity solution.

We saw cybercriminals updating this particular ransomware binary from day to day, meaning they are fine-tuning their attacks, because of this everyone should tune their cybersecurity too with a Mac antivirus or Windows antivirus depending on what system do they use.

IOCs:
Encrypter: 912bfac6b434d0fff6cfe691cd8145aec0471aa73beaa957898cfabd06067567
Decrypter: 8616263bdbbfe7cd1d702f3179041eb75721b0d950c19c2e50e823845955910d
Ransomware note text:
All files in this directory have been encrypted.
For decrypt files:
Download Tor Browser
Run it
For create decryption keys, copy link at the bottom of this page and paste to the address bar and go it
If count of links greather than one, next link must be added ONLY AFTER PAYMENT FOR PREVIOUS KEY.
Links for create decryption keys:
(Do not change the “token” parameter otherwise your data will be lost)