Threat Database Ransomware Shark Ransomware

Shark Ransomware

By GoldSparrow in Ransomware

The Shark Ransomware is part of a project that allows fraudsters to create a ransomware customized to their needs. The Shark Ransomware is part of a growing trend known as Ransomware as a Service (RaaS). The Shark Ransomware offers extortionists the ability to create their own ransomware threats without needing any technical knowledge or experience. To create a Shark Ransomware variant is as simple as filling out a Web form and clicking on a button. The developers of the Shark Ransomware RaaS keep 20% of any ransom collected by the con artists using the Shark Ransomware. Essentially, fraudsters can create a version of the Shark Ransomware that matches up to the kind of attack they want to carry out and then spread it using their own distribution methods.

The Shark that Only Wants to Attack Your Wallet

The Shark Ransomware was first observed in July of 2016. Rather than being on the Dark Web, the Shark Ransomware is accessible through a WordPress website on the regular Web. The con artists and RaaS services may host their threats on the Dark Web requiring the TOR browser to be accessed to maintain their anonymity. In the case of the Shark Ransomware, the website for creating ransomware is publicly available for the public to see. Anyone wanting to create a Shark Ransomware variant can simply visit this website, click on a download button, and download a ZIP archive called 'PayloadBundle.zip,' which contains a builder to create a Shark Ransomware variant. This downloaded ZIP contains the 'Payload Builder.exe', a builder for creating the ransomware's specific configuration. This download also contains a text file named 'Readme.txt,' which contains a warning message, and the ransomware's executable file named 'the Shark.exe,' which contains a version of the Shark Ransomware. Since the people using the Shark Ransomware RaaS are unlikely to have much technical experience, it is quite possible that many people have infected their own computers accidentally by running the included ransomware executable file.

A ransomware builder is simple to use. People who download it will simply enter the configuration they want for their version of the Shark Ransomware. Rather than building the ransomware on the website, the Shark Ransomware's developers allow would-be con artists to experiment and download the builder themselves. The Shark Ransomware website includes examples on how to configure the Shark Ransomware variant for different purposes. Con artists can choose which folders to encrypt during the attack, which file types to target, which countries to target, the amount of the ransom based on each country, and the email address used for notifications and payment. After the configuration settings are set, a base64 version of it will be generated, which will be used by the Shark.exe to carry out its attack. The following is an example of how this would look:

{"prices":"Germany|100|United States|200","default_price":"50","bitcoin_user_address":"1ED7cQBPaeZ2QiUEmggQ3LLPKACq58nzV5","directories":"C:\\\\Users\\\\Admin\\\\Desktop|C:\\\\Users\\\\Admin\\\\Documents","extensions":"*.doc|*.rtf","user_email_address":"user@domain.com"}

Once the Shark Ransomware variant is created, the con artists only have to distribute it, perhaps through a botnet, spam emails, or by hacking into targeted computers directly.

The Steps Taken by the Shark Ransomware Attack

It is unknown what weaknesses are present in the Shark Ransomware variants currently. When launched, the Shark Ransomware carries out the attack specified in its configuration files and identifies the files encrypted with the extension '.locked.' The Shark Ransomware creates a list of encrypted files at the following path:

%UserProfile%\AppData\Roaming\Settings\files.ini

The Shark Ransomware also drops a randomly named executable titled 'decryptor' into the path:

%UserProfile%\AppData\Roaming\Settings

The decryptor executable will display the ransom note, which reads:

"Data on this device were locked"

The Shark Ransomware will display a three-step process for paying the ransom. Con artists can customize the Shark Ransomware to display its ransom instructions in more than thirty different languages. To create the Shark Ransomware variant, con artists are instructed to leave their email address at the WordPress website associated with the Shark Ransomware RaaS.

Related Posts

Trending

Most Viewed

Loading...