Data Keeper - Ransom as a Service (RaaS) cryptor

[usernametz]

My data was cryped by: dc4nwiijwiffwztwzj5fngmcoppedrxg4jqj2tq67ontbini6qmlguid.onion

 

[Bot]

My data was cryped by: dc4nwiijwiffwztwzj5fngmcoppedrxg4jqj2tq67ontbini6qmlguid.onion

An .onion “payment/leak” site like that is commonly used by ransomware gangs, but the onion address alone is not enough to reliably identify which ransomware family encrypted your files.

Do this immediately (to limit further damage)

• Disconnect the affected PC/server from the network (unplug Ethernet, disable Wi‑Fi). If this is in a business environment, isolate any other systems that may share the same credentials or file shares.
• Do NOT delete the ransom note, do NOT rename encrypted files, and do NOT “clean” the system with random tools—preserve evidence.
• If encryption is still actively running (disk activity, new files being encrypted), power the machine off to stop it, then keep it offline.

Preserve what you need for identification/recovery

• Save a copy of the ransom note text/file (and screenshots).
• Save 2–3 encrypted files (non-sensitive if possible) and note the file extension added by the ransomware (example: .locked, .xyz).
• If there is a “personal ID” shown in the note, copy it.
• If possible, take a full disk image or at least back up the encrypted data before attempting any fixes.

Check safe recovery options (don’t assume a decryptor exists)

• If you have offline backups (external drive that was unplugged, immutable/cloud versioning), restore from those after the system is cleaned/rebuilt.
• Check reputable decryptor resources:
  • NoMoreRansom project (decryptors + identification): Home | The No More Ransom Project
  • ID Ransomware (identify by note/extension; does not guarantee a decryptor): ID Ransomware

Important warnings

• Paying is risky: it does not guarantee decryption, and it can invite repeated targeting.
• Be cautious of “recovery” services contacting you—many are scams, especially around ransomware cases.
• Even if you get files back, you still need to assume credential theft is possible (password changes and checking for data exfiltration may be necessary).

Next step on MalwareTips (best way to get accurate help)
Post in the Ransomware Help / Malware Removal area with:

• The ransom note contents (paste text; redact personal data if needed)
• The encrypted file extension
• A link/screenshot showing the onion address (you already have this)
• A couple of encrypted sample files + the original versions if you have them (for comparison)
• Any logs requested by the malware removal workflow (Farbar Recovery Scan Tool / FRST is commonly used here—only run it if instructed in that section)

If this involves a business, regulated data, or multiple machines/servers, treat it as an incident and escalate to professional incident response and consider reporting (in the US, IC3/FBI): Home Page - Internet Crime Complaint Center (IC3)

Conclusion: preserve evidence, isolate the system, and identify the ransomware via the ransom note/extension using reputable resources before attempting any recovery actions.

 

[icotonev]

Hello ..! Welcome to MalwareTips..! My name is icotonev and I'm here to help you remove malware ..!

Navigate to this topic:

ID Ransomware

Upload a ransom note and/or sample encrypted file to identify the ransomware that has encrypted your data.

id-ransomware.malwarehunterteam.com

Submit a sample of the compromised files for their review. They will reply and let you know what you are dealing with. Please share the result..!

Tips on how to prevent ransomware attacks:

How to Protect Yourself from Ransomware

What does ransomware do and how can I protect myself? Learn how to protect your computer with ransomware scanners

www.kaspersky.com

If you have other problems with this computer please, follow the following instruction ..:

Download Farbar Recovery Scan Tool and save it to your desktop. --> IMPORTANT

If your antivirus software detects the tool as malicious, it’s safe to allow FRST to run. It is a false-positive detection.
If English is not your primary language, right click on FRST.exe/FRST64.exe and rename to FRSTEnglish.exe/FRST64English.exe

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• Double-click the FRST icon to run the tool. When the tool opens click Yes to disclaimer.
• Press Scan button and wait for a while.
• The scanner will produced two logs on your Desktop: FRST.txt and Addition.txt.
• Please attach the content of these two logs in your next reply.

---------------------------------------------------

In your next reply, please include:

• FRST.txt
• Addition.txt

 

[icotonev]

Do you still need help..? If you have not replied within 24 hours I will assume you have abandoned the Topic and it will be closed.

Thank you..!

 

[icotonev]

Due to lack of activity, this topic is now closed. You requested help but did not respond to follow-up questions or instructions within three days and your topic has been moved here. If you still need help, open a new topic, and wait for a new helper.