A new Ransomware-as-a-Service project has sprung up, and the “service providers” are allowing others to use it for free, but take a 20 percent cut out of every ransom that gets paid by the victims. The ransomware is called Shark.
According to security researcher David Montenegro and Bleeping Computer, the project’s site is accessible to anyone who knows the address, and not just to Tor users. It’s a simple WordPress site, from where would-be criminals can download a .zip file containing the ransomware configuration builder (Payload Builder.exe), a warning note (Readme.txt), and the ransomware executable (Shark.exe).
They are instructed to use the configuration builder to choose which folders and files the ransomware will encrypt, the users of which country to target, the amount of money they will ask of the victims, to input an email address to which a notification will be sent when the payload infects a machine.
“When the configuration is entered, a base64 version of the configuration will be generated. This code is then used as an argument to the Shark.exe to specify that the custom configuration that should be used,” Lawrence Abrams explains.
The Bitcoin address to which the payment will go is that of the original malware authors, who should take their 20 percent and forward the rest to the crooks that distribute this custom made version of it.
Whether they actually keep their side of the bargain is still unknown.
“Taking into account that Shark’s promotional campaign was based on spamming and getting banned from underground hacking forums like Megatop, this looks more like a scam than anything else, with some crook trying to fool cybercrime newcomers into distributing his malware and keeping all the profits,” Softpedia’s Catalin Cimpanu pointed out.
The payload created through the builder seems to be working as promised. It encrypts files with the chosen file extensions and adds the .locked extension to the encrypted versions of the files. Malware researchers will hopefully soon create a decryption tool that will reverse that action.
In the meantime, the ransomware is obviously not “undectecable by AV” as the authors claim. Symantec has added detection for it to its products, and they sure won’t be the only ones.