Shark targets Windows OS and is being offered as a Ransomware-as-a-Service (RaaS) kit via a publicly accessible, clearnet WordPress website. The developer keeps 20 percent of the ransom payments and the distributors using the service keep the remaining 80 percent. The ransomware kit is contained within a ZIP file named which contains a configuration builder, Payload Builder.exe, a warning to the distributor named, Readme.txt, and the ransomware executable file, Shark.exe. The configuration builder allows distributors to choose which folders and files to encrypt, which countries to target, and what email address to use to receive notifications after victims are infected. Shark appends .locked to encrypted file names. Shark’s ransom amount depends on the price that the distributor sets.

UPDATE 9/14/2016: Shark has now been rebranded by its developers as the Atom Ransomware Affiliate Program. It is still available on a Clearnet WordPress website but now includes the Atom Payload Builder, an EXE file which makes it easier for distributors to produce a working, customized ransomware build. It uses AES-256 to encrypt files and sends the decryption key and victim ID via HTTPS to its C2 servers.

  • Bleeping Computer provides more information about Shark here.
  • The NJCCIC is not currently aware of any decryption tool available for Shark or the rebranded Atom.
Ransomware VariantsNJCCICShark