- Jul 22, 2014
- 2,525
Two days after crooks started advertising the Data Keeper Ransomware-as-a-Service (RaaS) on the Dark Web, ransomware strains generated on this portal have already been spotted in the wild, infecting the computers of real-world users.
Spotted earlier this week by Bleeping Computer, Data Keeper is the third ransomware strain offered as a RaaS offering this year, after Saturn and GandCrab.
Another RaaS opens its gates for everybody
The service launched on February 12 but didn't actually come online until February 20, and by February 22, security researchers were already reporting seeing the first victims complaining of getting infected.
Just like the Saturn RaaS, Data Keeper lets anyone sign up for the service and lets them generate weaponized binaries right away, without having to pay a fee to activate an account.
...
...
Data Keeper ransomware looks well-coded
The ransomware generated via the Data Keeper RaaS is coded in .NET, and while .NET ransomware is usually considered the bottom of the barrel regarding ransomware quality, this one appears to be written by someone more adept than the usual mob of .NET malware noobs.
"The in the wild [Data Keeper ransomware] sample we saw on Thursday consists of 4 layers," said MalwareHunter, a security researcher who helped Bleeping Computeranalyze the ransomware for this article.
"The first layer is an EXE that will drop another EXE to %LocalAppData% with a random name and a .bin extension. It then executes it with ProcessPriorityClass.BelowNormal and ProcessWindowStyle.Hidden parameters," MalwareHunter says.
...
...
VirusTotal
Spotted earlier this week by Bleeping Computer, Data Keeper is the third ransomware strain offered as a RaaS offering this year, after Saturn and GandCrab.
Another RaaS opens its gates for everybody
The service launched on February 12 but didn't actually come online until February 20, and by February 22, security researchers were already reporting seeing the first victims complaining of getting infected.
Just like the Saturn RaaS, Data Keeper lets anyone sign up for the service and lets them generate weaponized binaries right away, without having to pay a fee to activate an account.
...
...
Data Keeper ransomware looks well-coded
The ransomware generated via the Data Keeper RaaS is coded in .NET, and while .NET ransomware is usually considered the bottom of the barrel regarding ransomware quality, this one appears to be written by someone more adept than the usual mob of .NET malware noobs.
"The in the wild [Data Keeper ransomware] sample we saw on Thursday consists of 4 layers," said MalwareHunter, a security researcher who helped Bleeping Computeranalyze the ransomware for this article.
"The first layer is an EXE that will drop another EXE to %LocalAppData% with a random name and a .bin extension. It then executes it with ProcessPriorityClass.BelowNormal and ProcessWindowStyle.Hidden parameters," MalwareHunter says.
...
...
VirusTotal
