A new type of ransomware known as Shark (Trojan.Ransomcrypt.BG) is being distributed on the cyberunderground. The malware’s authors use the “Ransomware-as-a-Service” (RaaS) business model, freely distributing the ransomware builder to aspiring attackers, but requiring a 20 percent cut of any ransom payments it generates.
Shark is distributed through a professional looking website that features information about the ransomware and instructions on how to download and configure it. Its authors boast that it is fully customizable, uses a fast encryption algorithm, supports multiple languages, and is “undetectable” by antivirus software.
Figure 1. Shark ransomware builder
Options for customization include choosing which file formats the ransomware should encrypt and setting the ransom amount demanded of the victim. The attacker also enters an email address which is used to notify them when a payload they created has infected a system.
The developers say payment is fully automated and they will take a 20 percent cut from any ransoms paid. Payment is centralized, meaning any ransom payment is made directly to the developers, who then promise to pass on the attackers’ 80 percent cut.
Figure 2. Shark ransomware note on compromised computer
Symantec and Norton products detect this threat as:
To learn more about the threat posed by ransomware, read our latest whitepaper: An ISTR Special Report: Ransomware and Businesses 2016