Background

DataKeeper is the latest contender in a rising number of malware attacks driven by ransomware-as-a-service (RaaS). DataKeeper’s ransomware service launched on February 20 of this year. Two days later, the malware claimed its first victims.

What does this latest iteration of RaaS-inspired malware mean for computing? The Cylance Threat Research team dug into this emerging threat for answers.

VIDEO: Cylance vs. DataKeeper

Data Keeper Service Examined

How does one test ransomware which is customized by each ‘customer’ upon creation? Our answer – create a new version of the malware and test it.

This first screen capture (below) shows the main configuration page for DataKeeper. It includes a simple four-step instruction list for customizing the malware and obtaining a decryption key for this unique instance:

This second screenshot highlights some of the customization options available to subscribers of the DataKeeper service. Here, the threat actor can select a range of file extensions to be targeted for encryption. An additional file can be included in the attack, if desired. This file will execute along with the malware and could be used to divert attention or perform additional operations.

Another screen provides options for setting the ransom. Once again, a four-step instruction guide is provided to the user. All payments must be made in BitCoin (BTC). The page features a counter to track the total number of victims versus the number of paying victims hit by the ransomware. Ransoms are presumably cashed out by toggling the Give me my money switch (NOTE: Cylance, of course, did not ransom anyone to test this feature).

When DataKeeper encrypts a system it leaves the following ransom message file in each affected folder. The message contains instructions for the victim to follow if they want to regain access to their data. Most importantly, it provides links to the decryption keys.

Once a victim provides their decryption key, they receive access to the decryptor.

The decryptor is the only known method of recovering the files. Unlike earlier versions of Hermes, the Data Keeper decryptor has not been cracked by researchers to provide free file recovery.

Why is DataKeeper Important and Why Should I Be Concerned?

Companies and individuals face a growing threat from ransomware, which is more prolific and costly than ever. Some facts about ransomware that should concern everyone:

  • Ransomware payment amounts increased 266% per victim, between 2015 and 2017
  • Ransomware has moved from the 22nd most common type of malware in 2014 to the 2nd most popular in 2017
  • Ransomware as a Service (RaaS) allows anyone to generate ransomware for distribution and collect payments from victims
  • The number of ransomware families grew by 326% between 2015 and 2016
  • The number of ransomware variants grew 430% between 2016 and 2017

The easy creation and rising profitability of ransomware means it will remain a serious threat to all of us for the foreseeable future.

Cylance Stops DataKeeper

The average user would be thrilled to discover that their security solution stops new ransomware which was created today. At Cylance, we prefer to exceed the expectations of our customers. Not only does Cylance detect and prevent present-day DataKeeper malware generated by shady RaaS subscribers – our customers have been protected for over two years.

In testing, our two-year-old Cylance engine detected and prevented DataKeeper malware generated by RaaS in 2018. Proving once again, customers can rely on the predictive power of Cylance’s artificial intelligence to secure them from both present and future threats.