What is Data Keeper ransomware? And how does it carry out its attack?

Data Keeper ransomware is a file-encrypting threat first released on January 2018. This ransomware Trojan is available on the dark web as RaaS or Ransomware-as-a-Service program. Data Keeper ransomware is designed to target operating systems that are running Windows and lock the files on infected systems using the two encryption algorithms.
Cyber crooks who obtain this crypto-malware will be given the following functions and properties which they can optimize:

  • The ransom amount demanded from victims for data recovery
  • The likelihood of adding PDF, docx, xls and other files to execute malware
  • Optional network shares encryption
  • The ability to remove system restore points and run with administrative rights
  • Multithread encryption
  • Self-running feature on remote devices

Data Keeper ransomware is the third ransomware strain being offered as RaaS this year as it follows the path of Saturn and GandCrab ransomware. Just like Saturn ransomware, Data Keeper ransomware lets anyone sign up for the RaaS and lets them produce dangerous threat. Developers of this crypto-malware are encouraging users to generate ransomware and distribute them to victims with the promise of getting a share of the ransom fee in case the victims pay the crooks to decrypt their encrypted files. However, even though the crooks behind Data Keeper ransomware made their commission known up front with 30% of the total ransom fee, they do not disclose the amount of Bitcoin to their affiliates.
Based on the analysis done by security experts, Data Keeper ransomware appears to be well-coded. It is coded using .NET and although ransomware threats created using .NET are considered to be at the bottom of the barrel when it comes to ransomware quality, it looks like Data Keeper ransomware was written by someone who’s more adept than the average .NET malware noobs. In other words, Data Keeper ransomware is not to be taken lightly.
During its attack, Data Keeper ransomware drops a malicious executable file that will drop another exe file to the %LocalAppData% directory with a random name as well as a .bin extension. After that, the malware executes the aforementioned malicious files with “ProcessPriorityClass.BelowNormal” and “ProcessWindowStyle.Hidden” parameters.
On the second phase of its attack, another exe file will be executed that will load a DLL file that contains the actual ransomware which will then scan the computer looking for files to encrypt. According to researchers, it may encrypt files with the following extensions:
.1c, .3fr, .accdb, .ai, .arw, .bac, .bay, .bmp, .cdr, .cer, .cfg, .config, .cr2, .crt, .crw, .css, .csv, .db, .dbf, .dcr, .der, .dng, .doc, .docm, .docx, .dwg, .dxf, .dxg, .eps, .erf, .gif, .htm, .html, .indd, .iso, .jpe, .jpeg, .jpg, .kdc, .lnk, .mdb, .mdf, .mef, .mk, .mp3, .mp4, .mrw, .nef, .nrw, .odb, .ode, .odm, .odp, .ods, .odt, .orf, .p12, .p7b, .p7c, .pdd, .pdf, .pef, .pem, .pfx, .php, .png, .ppt, .pptm, .pptx, .psd, .pst, .ptx, .r3d, .rar, .raw, .rtf, .rw2, .rwl, .sql, .sr2, .srf, .srw, .tif, .wb2, .wma, .wpd, .wps, .x3f, .xlk, .xls, .xlsb, .xlsm, .xlsx, .zip
In its encryption process, Data Keeper ransomware uses dual encryption algorithms such as the AES and RSA 4096. This ransomware will also enumerate and try to encrypt all network shares it can get its hands on. In addition, this ransomware does not add any kind of file extension to mark the encrypted files so victims won’t really know if a certain file is encrypted unless they open it. This kind of tactic is quite cunning as it puts a sense of uncertainty to its victims with them not knowing how much damage the ransomware has actually done to their computers. In fact, the only indication that a particular computer is the file named “!!! ##### === ReadME === ##### !!!.htm” which contains the following text:
“All files in this directory have been encrypted.
For decrypt files:
Download Tor Browser
Run it
For create decryption keys, copy link at the bottom of this page and paste to the address bar and go it
If the count of links greater than one, next link must be added ONLY AFTER PAYMENT FOR THE PREVIOUS KEY.
Links for creating decryption keys:
(Do not change the “token” parameter otherwise your data will be lost)
[REDACTED_URL]”
How does Data Keeper ransomware proliferate?
As already pointed out earlier, Data Keeper ransomware proliferates using the dark web as it is being distributed there. Meaning to say, anyone who has access to the dark web will be able to get their hands on this file-encrypting threat.
Refer to the removal guide laid out below to eliminate Data Keeper ransomware from your system.
Step 1: Close Data Keeper ransomware’s program window and tap Ctrl + Shift + Esc keys to open the Task Manager.

Step 2: After opening the Task Manager, look for the following malicious processes of Data Keeper ransomware, click on each one of them and select End Process or End Task.

Step 3: Close the Task Manager.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use PC Cleaner Pro, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then, by all means, go on to the next steps.
Step 4: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.

Step 5: Navigate to the following paths:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization
  • HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveTimeOut
  • HKEY_CURRENT_USER\Control Panel\Desktop

Step 6: Under the paths listed above, look for registry values created by Data Keeper ransomware and delete it.
Step 7: Close the Registry Editor and open Control Panel by pressing the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.
Step 8: Look for Data Keeper ransomware or any suspicious program and then Uninstall it/them.

Step 9: Tap Win + E to launch File Explorer.
Step 10: After opening File Explorer, navigate to the following locations below and look for Data Keeper ransomware’s malicious components such as !!! ##### === ReadME === ##### !!!.htm as well as the two malicious executable files (.EXE) which has random names and then delete them all.

  • %TEMP%
  • %APPDATA%
  • %LocalAppData%
  • %USERPROFILE%\Downloads
  • %USERPROFILE%\Desktop

Step 11: Close the File Explorer.
Step 12: Empty your Recycle Bin.
Make sure that you have completely removed Data Keeper ransomware form your computer, to do so, follow the advanced removal guide below.
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:

  1. Turn on your computer. If it’s already on, you have to reboot
  2. After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.

  1. To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
  2. Windows will now load the SafeMode with Networking.
  3. Press and hold both R key and Windows key.

  1. If done correctly, the Windows Run Box will show up.
  2. Type in explorer http://www.fixmypcfree.com/install/spyremoverpro

A single space must be in between explorer and http. Click OK.

  1. A dialog box will be displayed by Internet Explorer. Click Run to begin downloading the program. The installation will start automatically once a download is done.

  1. Click OK to launch it.
  2. Run SpyRemover Pro and perform a full system scan.

  1. After all the infections are identified, click REMOVE ALL.


Register the program to protect your computer from future threats.

logo main menu

Copyright © 2024, FixMyPcFree. All Rights Reserved Trademarks: Microsoft Windows logos are registered trademarks of Microsoft. Disclaimer: FixMyPcFree.com is not affiliated with Microsoft, nor claim direct affiliation. The information on this page is provided for information purposes only.

DMCA.com Protection Status

Log in with your credentials

Forgot your details?