Datakeeper Ransomware

What is Datakeeper Ransomware?

Ransomware is now becoming available to everyone, and latest detection of a ransomware-as-a-Service (RaaS) platform named Datakeeper only proves that this type of malware is not going to move away from the dark market. The Datakeeper ransomware, also spelt Data Keeper, is yet another tool for hackers and skiddies interested in taking users' files hostage and demanding a release fee. The Datakeeper malware is the third RaaS platform enabling schemers to distribute malware after Saturn and GandCrab.

Different strains based on the Datakeeper RaaS has already been spotted in the wild, causing considerable inconveniences to many computer users, including individual users and businesses alike. Unsuspecting computer users not aware of this type of threat can easily fall victim to the strains of the Datakeeper ransomware because this RaaS does not add any file extensions to affected files, thereby causing confusion when the victim tries to open the file to find that it is corrupted. It is important not to panic but remove the Datakeeper ransomware straight away without paying attention to the ransomware's demand for money.

How does the Datakeeper ransomware work?

To become an affiliate and have a hand-on experience with the Datakeeper ransomware, it is necessary to sign up on its website, without any activation fee. The owner of a new Datakeeper-based infection is promised a share of every ransom fee paid by the victim; however, the amount promised is not disclosed to keep the potential affiliates.

Fortune-oriented clients of the Datakeeper RaaS are provided with a pack of features enabling them to customize their destructive software.  For example, the ransom fee, which is paid in Bitcoin, can be changed by the affiliate, and the reward for making the user of an affected computer pay is also paid in the same cryptocurrency if the Bitcoint account number is provided beforehand.

Moreover, the output executable can contain an attached file, including PDF, DOC, XLS, and other types.

Even though the Datakeeper ransomware offers a default set of file formats that can encrypted, it is possible to configure the threat to encrypt given formats. A Datakeeper-based threat may also be instructed to attempt running administrative rights. In case of success, restore system points are removed. To be more precise, restore system points are collections of import system files that are created before a program or update is installed.

The customized ransomware built using the Datakeeper service is coded in the .NET framework, which would rank the threat low in terms of its complexity. However, in the present case, more efforts to build a data damaging tool have been observed.

It has been discovered that the executable file drops another executable file with a .bin extension to the %LocalAppData% directory. Moreover, the parameters ProcessPriorityClass.BelowNormal and ProcessWindowStyle.Hidden are used to execute the file. The second .exe file loads a .dll file, which also loads another .dll that contains the destructive threat. Each layer is protected with the decompiler ConfuserEx.

Some researchers and people interested in coding are surprised at the level of protection, which is uncommon for this type of ransomware.

How does the Datakeeper ransomware collect money?

The Datakeeper ransomware encrypts files by employing a dual AES and RSA-4096 algorithm. The infection also attempts to encrypt network shares, which are also known as shared resources. Such data can be accessed remotely from another device and refers to printer access, shared scanner access, and other shareable resources.

Upon encryption, no additional extension are added, thereby causing confusion to the victim, because without the additional extension, it is difficult to identify the scale of the damage caused. All that the victim is provided with is a .html file named "!!! ##### === ReadMe === ##### !!!." Each version of the Datakeeper ransomware encrypts different sets of files, and the fees demanded vary. The victim is instructed to download the Tor browser and access a given website for more information about the release fee and payment submission. However, here we want to warn you that you should not pay the fee but remove the Datakeeper ransomware from the PC.

Why you should not pay up?

Paying up for having the affected files restored is likely to be an urge for those who do not have data backups. Many businesses  pay the ransom fee in the hope that the data will be recovered; however,  in most cases they simply waste their money, because no response is received from the attackers. The FBI and other law enforcement agencies advise ignoring the demand for ransom because no one can guarantee a fix after money submission. It is highly advisable to make backup copies on a regular basis so that the necessary data can be accessed in case of data encryption. So far malware researchers have not identified any bugs allowing victims' data recovery.

How to remove the Datakeeper ransomware?

Our team at recommends relying on a malware and spyware removal tool so that you can browse the Internet safely without any threats running on the computer. The more attention to pay to your online behavior and security, the lower the risk of getting affected by any type of malware.

However, if for some reason you want to remove the Datakeeper ransomware manually, use the following removal guidelines.

Remove the Datakeeper Ransomware

  1. Delete recently downloaded files located on the desktop, in the Downloads and Temp folders.
  2. Access the %LOCALAPPDATA% and %USERPROFILE%\Local Settings\Application Data directories to find and remove the randomly named file with the extension .bin. 100% FREE spyware scan and
    tested removal of Datakeeper Ransomware*

Stop these Datakeeper Ransomware Processes:


Leave a Comment

Enter the numbers in the box to the right *