datakeeper

[Content by Gemini 2.5]

Ransomware Profile: DATAKEEPER

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: Every encrypted file is given the new suffix .datakeeper
  • Renaming Convention: Files maintain their original filename and structure but simply append “.datakeeper” at the end.
    Example: quarterly_report.xlsxquarterly_report.xlsx.datakeeper

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: Datakeeper first appeared in wide circulation in early March 2018. Additional spikes were observed in mid-2020 after an updated variant surfaced on underground forums.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. RDP Brute-force & Weak Credentials – Scans the Internet for open TCP/3389 (RDP) and repeatedly tries common username/password combinations.
  2. Malspam Campaigns – Dropped via weaponized Microsoft Office documents (macros) or ISO image attachments masked as invoices.
  3. SMBv1 Exploitation – Uses off-the-shelf penetrations porting EternalBlue to lateral-move across unpatched Windows 7/Server 2008 systems.
  4. Compromised Web App Uploads – Exploits insecure file-upload portals (e.g., out-of-date WordPress plugins) to inject the ransomware payload.
  5. Credential-stealing Trojan Pre-stagers – Leverages info-stealers such as TrickBot or Amadey to harvest domain credentials before deploying Datakeeper.

Remediation & Recovery Strategies:

1. Prevention

  • Proactive Measures:

  • Patch MS17-010 (EternalBlue) and any SMBv1 vulnerabilities; disable SMBv1 outright where feasible.

  • Restrict RDP:
    – Whitelist source IPs via firewall rules.
    – Force Network Level Authentication (NLA) and strong, unique passwords plus MFA.
    – Set Account lockout thresholds (e.g., 5 attempt lockout for 30 min).

  • Harden Email defenses:
    – Enable macro blocking from the Internet.
    – Strip ISO/ZIP files via mail-scanning rules or quarantine them for admin review.

  • Deploy Application whitelisting (e.g., MS AppLocker or Microsoft Defender Application Control) to prevent unknown executables from running.

  • Maintain offline, immutable backups with versioning (3-2-1 rule) and test restores quarterly.

2. Removal

  • Infection Cleanup Sequence:
  1. Isolate: Immediately disconnect the affected host(s) from all networks (Wi-Fi, Ethernet) to stop lateral movement.
  2. Identify persistence vectors:
    – Check scheduled tasks (schtasks.exe /query /fo LIST /v), Run/RunOnce keys, and Services for random-named executables.
    – Look for startup folders (%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup).
  3. Boot to Safe Mode w/ Networking or WinRE:
    – Run a reputable, fully updated AV/EDR solution (e.g., Microsoft Defender, ESET, CrowdStrike) in offline mode to quarantine “‹random›.exe,” “wmiprvse.exe” masquerades, or dropped copies under C:\ProgramData\ or %TEMP%.
  4. Delete shadow copies restore point bypass checks:
    vssadmin delete shadows /all (look for hidden WMI or PowerShell commands that re-run this).
  5. Wipe or re-image the OS volume, ensuring disk-level artifacts such as Alternate Data Streams (ADS) are removed. Re-patch the system completely before reconnecting.

3. File Decryption & Recovery

  • Recovery Feasibility: As of now, Datakeeper does NOT have a public decryptor; encryption uses a correctly-implemented AES-256 + RSA-2048 hybrid scheme. The private RSA key resides only with the operators.

  • Essential Tools:

  • NoDecrypter.exe (Generic tool name) → Not available for Datakeeper.

  • Elcomsoft Forensic Disk Decryptor – Useful only for BitLocker volumes already unlocked pre-infection; it cannot undo Datakeeper encryption.

  • Microsoft KB4013389 (SMB patches).

  • Windows 10 22H2 & Windows 11 cumulative patches (includes additional protections against RDP brute-force).

    Bottom line: Restore from OFFLINE backups OR negotiate paying the ransom at your organization’s risk tolerance (note: paying does NOT guarantee full/functional decryption).

4. Other Critical Information

  • Additional Precautions:

  • Datakeeper uniquely prepends the ransom note as both a desktop wallpaper and a .txt file inside every folder containing encrypted files (!!!RESTORE_FILES!!!.txt).

  • Variant spotted in 2022 adds command-line control via a Telegram bot handle that advertises “Live-chat with operators,” lowering the barrier for victims to reach them (raising the social-engineering threat).

  • Broader Impact:

  • SME healthcare providers in the UK and North America were hit hardest in 2020–2021 due to rampant exposed RDP and slow patching cycles.

  • Average downtime attributed to Datakeeper breaches is 7–10 business days when no tested backups exist, with residual compliance/regulatory fines adding an estimated 3× operational loss compared to ransom demand.

By combining strict patch discipline, credential-lockdown, and regularly tested offline backups, organizations can dramatically reduce attack surface and recovery downtime for the Datakeeper ransomware family.