DataKeeper ransomware virus is an addition to the list of ransomware-as-a-service infections. The ad for this service appeared on the dark web at the end of February, 2018, and it did not take long for the business to take off.
Currently, there have been several reports of this ransomware infecting operating systems. It appears that RaaS strategies are becoming more popular as we have already discussed Saturn and GandCrab infections which are also available for crooks who wish to profit from crypto-malware, but lack skills to create such viruses.
Datakeeper Ransomware quicklinks
- DataKeeper crypto-virus ruins files with a combination of RSA and AES, but does not add extensions to damaged data
- Is there a way to recover files that DataKeeper crypto-malware has ruined?
- How can this DataKeeper ransomware virus be distributed?
- Automatic Malware removal tools
- How to recover DataKeeper ransomware encrypted files and remove the virus
- Step 1. Restore system into last known good state using system restore
- 1. Reboot your computer to Safe Mode with Command Prompt:
- 2.Restore System files and settings.
- Step 4. Use Data Recovery programs to recover DataKeeper ransomware encrypted files
In case you have been hit by this infection and your computer is currently unusable due to DataKeeper virus, you have come to the right place. In this article, we will try to help you solve this problem and provide you with detailed instructions on how to get rid of DataKeeper ransomware immediately.
DataKeeper crypto-virus ruins files with a combination of RSA and AES, but does not add extensions to damaged data
The DataKeeper ransomware targets Windows operating systems. The infection can be downloaded free-of-charge, and the users of this service will receive rewards if their victims pay the ransom. It is not specified how much the wannabe crooks will receive, but the profits are usually split to the advantage of the makers of RaaS. Therefore, we do not think that users of this ransomware will get any more than 30% from the paid ransom, if not less.
Each executable that a user of DataKeeper ransomware-as-a-service receives is set to encrypt data with RSA-4096 key pair. This crypto-malware is explained to be very effective since it is able to quickly encrypt even the largest files. It is also possible to encrypt all network shares in all subnet computers. However, differently from most of the crypto-viruses, DataKeeper ransomware won’t add any unique extensions to the damaged digital data.
Therefore, it becomes more complicated to find all encrypted files (victims would have to try to open a file to see whether it is encoded). Wannabe hackers can find this information via TOR browsers, but we hope that barely any people will plan to become a part of this devious plan.
Even though we usually do not pay too much attention to ransomware coded in .NET, DataKepper virus appears to be one of the diamonds among rocks. It very professionally made, meaning that the creators knew what they were doing and why. In the ad on the dark web, people can also find more information about the software for decryption, bitcoin wallets and etc. Once a victim is infected with this software, he/she will notice ##### === ReadMe === ##### !!!.htm file in their device. It will contain information about the ransom and decryption options.
Is there a way to recover files that DataKeeper crypto-malware has ruined?
Currently, DataKeeper virus is one of those infections that security researchers have not figured out. There are no ways of encrypting data for free (at least for the time being). However, specialists are hard at work, trying to determine any flaws or mistakes in the virus. If they are able to find something to exploit, it is possible that a free decrypter will be released. Until then, we hope that you won’t consider paying the ransoms.
The ransom might be different for individual victims. It could be that you will be required to pay 0.3BTC, but the price might be higher. Anyway, you should not even consider paying the fee for a decryption program. Take a stand like the Colorado Department of Transportation: refuse to pay the ransom. This is the only way to make hackers stop producing malware. For the future, please remember to have backups for your most important files.
How can this DataKeeper ransomware virus be distributed?
It is possible that users of this ransomware-as-a-service will be able to come up with ways how this infection should be spread. It could be that malicious email messages will be sent, or people will try to infect Windows Oss with misleading advertisements. We hope that you will be careful: do not open messages from unknown sources and do not click on random promotional content.
Even though we cannot offer you free decryption for the files DataKeeper crypto-virus has damaged, we can present you with options for the removal of this infection. More skilled users could follow the guidelines below and get rid of the ransomware manually. However, manual removal gone wrong can also cause severe issues in your computer. Therefore, we hope that you will think of getting Spyhunter.
Automatic Malware removal tools
How to recover DataKeeper ransomware encrypted files and remove the virus
Step 1. Restore system into last known good state using system restore
1. Reboot your computer to Safe Mode with Command Prompt:
for Windows 7 / Vista/ XP
- Start → Shutdown → Restart → OK.
- Press F8 key repeatedly until Advanced Boot Options window appears.
- Choose Safe Mode with Command Prompt.
for Windows 8 / 10
- Press Power at Windows login screen. Then press and hold Shift key and click Restart.
- Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
- When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.
2.Restore System files and settings.
- When Command Prompt mode loads, enter cd restore and press Enter.
- Then enter rstrui.exe and press Enter again.
- Click “Next” in the windows that appeared.
- Select one of the Restore Points that are available before DataKeeper ransomware has infiltrated to your system and then click “Next”.
- To start System restore click “Yes”.
Step 2. Complete removal of DataKeeper ransomwareAfter restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to DataKeeper ransomware. You can check other tools here.
Step 3. Restore DataKeeper ransomware affected files using Shadow Volume CopiesIf you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually DataKeeper ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Step 4. Use Data Recovery programs to recover DataKeeper ransomware encrypted filesThere are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
- We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
- Download a data recovery program.
- Install and scan for recently deleted files.