Barkly vs Malware
Barkly Research
Feb 2018

GandCrab, Saturn, and Data Keeper: 3 New Ransomware-as-a-Service Platforms Gaining Steam


Three new ransomware-as-a-service platforms are helping criminals with little to no technical expertise launch quick and easy attack campaigns in exchange for a cut of the profits. Here's what you need to know.

If malware were a traveling roadshow, ransomware would no longer be the headliner. The once undisputed heavyweight champion of payloads has taken a backseat as of late to stealthier options such as credential stealers and — most prominently — cryptominers

That's not to say ransomware has completely gone away, however. Far from it. But the ransomware attacks we are seeing have taken on an increasingly predictable pattern, with the majority of the action confined to tried-and-true "spray and pray" spam campaigns and RDP brute-force attacks designed to pick off and infect low-hanging fruit. Innovation and experimentation on the malware front generally appears to be focused elsewhere, but that still leaves plenty of common criminals who remain very much interested in launching easy-to-run campaigns designed to land them some quick coin. 

That's exactly where ransomware-as-a-service (RaaS) platforms come in, and researchers have spotted three new operations emerge already during the first two months of 2018 alone.

Ransomware-as-a-Service: A Quick Primer 

For those who haven't come across the term before or need a reminder, here's a quick refresher on how ransomware-as-a-service works:

  • Malware authors develop a new or updated strain of ransomware, but instead of keeping it to themselves, they invite other criminals to use it in exchange for a cut of each successful ransom payment.
  • In order to attract more customers or "affiliates," the malware creators will also typically create online management portals that make deploying and tracking the ransomware as easy as possible.
  • Many RaaS platforms also offer customization options that allow affiliates to choose ransom price, etc. Some even provide helpful tips and online support. 

New RaaS Operations in 2018: GandCrab, Saturn, and Data Keeper


Click to expand

Ransomware-as-a-service operations aren't a new development, but the appearance of three new operations in four weeks is noteworthy. Let's look at each of these platforms in more detail:

GandCrab Ransomware 

GandCrab was first discovered by researcher David Montenegro in late January. It wasted no time gaining popularity, becoming the third most prevalent ransomware variant seen in the wild by late February. 

Researchers first spotted GandCrab being distributed via a malvertising campaign called Seamless, which pushed victims to the RIG and GrandSoft exploit kits. Not long after, it was seen being delivered via spam email campaigns that tricked victims into downloading fake PDF receipts. Once opened, the PDF files download a Word doc with a malicious macro inside that, in turn, executes a PowerShell cmdlet to download the actual GandCrab ransomware payload. 

On execution, GandCrab attempts to connect to the C2 server. After successfully connecting, it checks for certain processes and then terminates them. These processes include winword.exe, visio.exe, mysqld.exe, etc. From there, the ransomware will begin encrypting the victim's files and renaming them with the .GDCB extension. 

If the victim's machine is unable to connect to the C2 server, then it will not encrypt files on the system but will continue to run in the background until it can establish the connection.

After successfully encrypting the victim's files, GandCrab drops a ransom note which details the steps required to make the ransom payment and decrypt the files. 


GandCrab ransom note. Source: BleepingComputer

Decrypter available: Fortunately, researchers at Bitdefender working in concert with the Romanian authorities have issued a decryption tool that can help GandCrab victims recover encrypted files without paying the ransom. 

It's likely that the authors behind GandCrab will attempt to make changes to its encryption routine and release a new version of the ransomware that can't be decrypted. In the meantime, however, victims are in luck, and criminals looking to make a quick buck will likely begin looking elsewhere — potentially at one of the other two RaaS operations detailed below. 

UPDATE 3/7/18: As predicted, the authors behind GandCrab have released a v2 of the ransomware that the decryption tool does not work on. 


GandCrab RaaS portal. Source: David Montenegro

According to details found on the Dark Web and in the RaaS portal, the operators behind GandCrab take 40 percent of any ransom generated with the malware, though they offer a discounted rate of 30 percent for "large partners."

The ransomware also comes with instructions to avoid infecting victims in former Soviet Republics. 

Also of interest GandCrab appears to be the first ransomware that accepts Dash cryptocurrency.

Note: Barkly blocks GandCrab and GandCrab v2 ransomware before any files are encrypted.



Saturn Ransomware 

  • Discovered: February 18, 2018
  • Delivery: Unconfirmed
  • File extension changed to: .saturn

The second new RaaS operation discovered this year, Saturn operates in a very similar way to GandCrab, with a few additional tricks. 

When Saturn lands on a machine it will first try to determine if it is running inside a virtual environment. If it determines it is, it will exit the process to avoid capture and analysis. 

If it determines it's landed in a real environment then the next thing Saturn will do is attempt to delete shadow volume copies, disable Windows startup repair, and also clear the backup catalog. With the stage now set to make recovery more difficult, the ransomware will encrypt the victim's files, rename them with the .saturn extension, and drop a copy of the ransom note.

Saturn-ransom-screen.png Saturn ransom note. Source: PCRisk

In addition, the ransomware will also replace the victim's background with the ransom message and drop a #DECRYPT_MY_FILES#.vbs file that plays audio of the ransom message from the infected computer's speakers. 

The Saturn RaaS portal offers affliates various options such as setting the ransom price as well as deleting the shadow volume copies, etc. 

Saturn-RaaS-portal.png Saturn RaaS portal. Source: BleepingComputer

The authors behind Saturn are also attempting to compete with other RaaS portals by not requiring any upfront fee to use the platform — something that up till now has been a typical RaaS practice. Instead, criminals are invited to try the platform for free and simply pay 30 percent of any ransoms they receive.   

Note: Barkly blocks Saturn ransomware before any files are encrypted.



Data Keeper Ransomware 

  • Discovered: February 20, 2018
  • Delivery: Unconfirmed
  • File extension changed to: No change made

Brought online just two days after Saturn was discovered, Data Keeper is the third RaaS platform we've seen launched in four weeks. 

Though it has similarities to GandCrab and Saturn, Data Keeper also appears to be more sophisticated. For one thing, it attempts to utlize the legitimate Windows tool PsExec to spread laterally across organizations. Additionally, it does not append a new extension to encrypted files, creating a sense of uncertainty around which and how many files have been encrypted. The RaaS portal allows attackers to choose which file types the ransomware will encrypt, so there's really no telling what's been encrypted and what hasn't without trying to open each file manually. 

Otherwise, the only sign that an attack has occurred is the presence of the ransom note file named!! ##### === ReadMe === ##### !!!.htm


Data Keeper ransom note. Source: Bleeping Computer 

Researchers have reported Data Keeper appears to be well-coded, and currently there are no free decryption tools available. 

According to Bleeping Computer, the RaaS was brought online on February 20, and just two days later, victims were already coming forward complaining of infections. Unlike Saturn and GandCrab, the authors behind Data Keeper have not disclosed the amount of the cut they take from each successful ransom. 


Data Keeper RaaS portal. Source: Bleeping Computer 

Note: Barkly blocks Saturn ransomware before any files are encrypted.


Making Ransomware Unprofitable for Criminals 

The emergence of these three new RaaS operations shows there is still money to be made in ransomware. Many attackers may have moved on to different, stealthier payloads, but as long these generic campaigns are landing on unprotected machines and finding willing victims, they are going to continue to persist. With enough success, they may even spur another resurgence in ransomware.  

After all, ransomware-as-a-service operations have helped launch some of the most heavily distributed ransomware variants of all time, including Cerber and Spora. Time will only tell if these three new players will gain similar traction, or if they're ultimately just three more late entrants in a race that's rapidly winding down

We can all do our part to make sure it's the latter. These ransomware variants can be defeated with endpoint security, but it often takes stronger, smarter protection than the traditional kind antivirus solutions can provide. Find out how Barkly can help you keep your organization ransomware-free.

And for more tips on preventing and dealing with ransomware infections, see our Ransomware Survival Handbook

Barkly Research

Barkly Research

Barkly's malware research team is hard at work stopping new malware that sneaks past antivirus.


Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.