Datakeeper Ransomware Removal Guide

Do you know what Datakeeper ransomware is?

The Datakeeper ransomware, originally spelt Data Keeper, is a ransomware-as-a-service (RaaS) platform allowing everyone interested in ransomware, which is now becoming a type of business on the dark web, earn easy money. RaaS models can be used without any technical knowledge in programming, which is considered to be the reason of the spike in ransomware attacks. The Datakeeper ransomware, detected in January 2018, is available at no charge. However, the authors of the RaaS take their part every time the victim pays a ransom.

The Datakeeper ransomware provides affiliates with quite a few properties and options to choose from to make a unique output executable. For example, it is possible to configure the payment and attach a file in the format of .pdf, .doc, .xls, to mention just a few. Additionally, it is possible to choose what extension will be encrypted even though Datakeeper offers its default set of file extensions. A threat created using the Datakeeper ransomware can be set to attempt running administrative rights. Once these rights are obtained, the infection deletes system points.

Ransomware threats created using the Datakeeper ransomware are coded in .NET, which usually suggests that the author of a threat may not have sufficient skills to build something more sophisticated. To many researchers' surprise, the sample analyzed was found to have four layers, which are unusual for this type of coding. Firstly, an executable file downloads another randomly named .exe file with the extension .bin to %LocalAppData%. The executable dropped loads a .dll file which loads one more .dll file containing the actual threat which encrypts files. All the layers were found to have custom strings and resources protection. Additionally, the remote administrative tool PsExec is employed to spread the ransomware to other devices connected to the affected network.

The victim's data is taken hostage using a combined AES and RSA-4092 algorithm. Moreover, a threat based on the Datakeeper rasomware also attempts to encrypt network shares at its reach.

Interestingly, unlike the vast majority of ransomware infections, Datakeeper does not mark affected files with any file extension. Usually, the victim learns about the problem by the extension added to each file. In a case with a Datakeeper-based threat, the victim does not see what files are encrypted without trying to open them. However, the Datakeeper RaaS creates ransom note files just as many other ransomware threats. A ransom note file is named "!!! ##### === ReadMe === ##### !!!" and is provided in a .html format. Such a file is created in every affected directory.

The ransom note of the Datakeeper ransomware instructs the victim to install the Tor browser and access a given website for more information. Since the Datakeeper ransomware has the feature of configuring the ransom fee, each case is different. A shared feature is that the Datakeeper ransomware uses the Bitcoin cryptocurrency, which has become highly preferred by ransomoware developers because of its anonymous nature. It is important to ignore the requirements provided by the threat and remove the very infection, because there are no guarantees that the attackers will offer a fix.

To prevent data loss, it is essential to back up data to a separate device or a cloud that would not be reached by the infection. Moreover, it is important to be aware of possible ways of ransomware infiltration. For example, ransomware is very often spread by phishing emails containing obfuscated file attachments or links. Such emails should be removed straight away, because the file attached or the link within the email could be a straight path to serious issues. Drive-by downloads are another means of ransomware distribution. Drive-by downloads take place without your knowledge upon your accessing a website containing malicious code or clicking on some deceptive ad or link. Additionally, the RDP service is also used to sneakily install ransomware. If the username and password of your RDP account are not complex enough, they could be easily broken during a brute-force RDP attack. Hence, enforcing login data and using two-factor authentification is strongly recommended.

Malware researchers have not spotted any errors in the code of the Datakeeper ransomware for victims' benefit, meaning that it is not possible to decrypt data yet. Nevertheless, it is possible to remove the Datakeeper ransomware.

As regards removal, we recommend relying on a reputable malware and spyware removal tool, which is also capable of removing other already running malicious files and fighting off incoming threat. Many computer users fall victims to different threats just because they do not prioritize online security.

The removal guide below should help you find and delete the malicious executable. If you have any questions, our team is here to help you.

How to remove the Datakeeper ransomware

  1. Remove questionable recently downloaded files located in the Downloads folder and on the desktop.
  2. Also check the Temp directory.
  3. Delete the file with the extension .bin from these directories:

%USERPROFILE%\Local Settings\Application Data

In non-techie terms:

The Datakeeper ransomware is a ransomware-as-a-service model for everyone interested in trying out the most profitable type of malware. The RaaS platform enables people with no programming mastery to create new strains of ransomware and raise funds in Bitcoin. The infection should be removed from the computer without even considering paying the money required in the ransom note. Additionally, the system should be shielded from malware and spyware to prevent new security related incidents.