GrujaRS, a Serbian security expert, stumbled upon a new ransomware project which is freely available on the Deep Web. Named Shark, the ransomware appears to be a fraudulent scheme, despite the fact that it delivers real and actually running payloads.
Any cybercriminal wannabe can visit the Shark Ransomware Project’s homepage and download a version of the Shark builder. The Shark website is neither on the Dark Web, nor is it easily reachable via Google. It is on that kind of public Internet section where it is not reachable by search and indexing bots.
Users would download a ZIP file which, when unzipped, delivers the three following files: Shark.exe, Payload Builder.exe and ReadMe.txt.
Shark.exe is the ransomware version, the Payload Builder.exe is, in fact, the builder and the last one states:
“Attention! We recommend you to use a virtual machine when working with this files. And do not run payload.exe on your PC. Good luck! ”
In the Shark website it is written that the builder can be used for creation of customized variants on the ransomware. Wannabe cyber crooks can choose the folders which the ransomware would target, which file formats to be encrypted, their Bitcoin wallet. They can determine the amount of ransom they are going to demand from their victims as well. The builder also gives its user the ability to use country-based filters for the ransom. Users can also insert the email address, shown on the ransom note, at which they can be contacted by the victims.
The Shark authors assure that the ransomware is very well put together, completely undetectable by anti-virus programs and fully translatable. If all this is true, the question “Why would someone offer such a ransomware builder for free?” would come to mind. Actually, the Shark creators rely on a centralized payment system thanks to which they get to keep 20% of all ransom payments, as the other 80% are redirected to the users who distributed it.
“50% of the distribution would not be tempting, but 80% sounds good.” – GrujaRS explains – “Unfortunately, many young people will not resist the challenge. Unfortunately, this evil has no end. Pandora’s box is open.”
Anyway, given the fact that Shark’s promotional campaign was all about spamming and getting banned from underground hacking forums like Megatop, there is a high chance that Shark`s creator are trying to mislead cyber newbies into spreading their ransomware, and keel all the profits at the end. In other words, keep the money without doing the dirty, boring work.
And yet, there is something else to be considered.
“Look from the perspective of who will enter the ransomware distribution will not be an amateur.” -GrujaRS adds – “This is someone who has experience in these matters, and is difficult to cheat.”
However, leaving aside the questionable distribution scheme with no guarantees for the distributors and Perseus Trojan`s presence in the archive which is downloaded, one thing is sure: the Shark builder delivers real and actually working ransomware payloads.