A new Ransomware as a Service, or RaaS, called the Shark Ransomware Project has been discovered by security researcher David Montenegro. The Shark Ransomware Project offers would-be criminals the ability to create their own customized ransomware without needing any technical experience and by simply filling out a form and clicking a button. For this service, the Shark RaaS developers keep 20% of the ransom payments and give the rest of the payment to the distributor/affiliate.
The Shark Ransomware Project went live sometime in July 2016 and is hosted on a publicly accessible WordPress site rather than being hosted on TOR. This is very unusual, as RaaS and ransomware developers typically host their sites on the TOR anonymizing network so it is harder for the authorities to identify them.
Any wannabe ransomware distributors can simply visit the site and click on the download button in order to download a zip file called PayloadBundle.zip.
The downloaded ZIP file will contain the ransomware configuration builder, called Payload Builder.exe, a warning note called Readme.txt, and the ransomware executable Shark.exe.
Based on the "clientele" that will be using this RaaS, I would not be surprised if there were many accidental infections cause by people cluelessly running the included Shark.exe executable.
Downloaders can now run the Payload Builder.exe to start generating a custom configuration that will be used by the included ransomware as described in the next section.
Most Ransomware as a Service offerings use the developer's web site to configure the executable and then download the customized ransomware. Shark does it differently by providing a base ransomware executable and then allowing would-be criminals to create their own configs that change the functionality of the ransomware.
The Shark Ransomware Project offers numerous examples showing how to configure the ransomware. These configuration options include the folders to encrypt, the file types to target, the countries to target, how much to charge each country, and an email adress that will be used to send notifications when the ransomware is installed..
When the configuration is entered, a base64 version of the configuration will be generated. This code is then used as an argument to the Shark.exe to specify that the custom configuration that should be used.
Below is an example of the decoded code from the above sample.
Now all the wannabe criminal has to do is distribute the ransomware so that it is installed by targeted victims.
At this time, the Shark.exe process is still being analyzed, so it is unknown if it has any weaknesses that we can exploit. What we do know is that when launched, it will encrypt the configured file extensions and append the .locked extension to encrypted files. The name of each encrypted file will be stored in the %UserProfile%\AppData\Roaming\Settings\files.ini file. It will also extract a random named executable titled "decrypter" into the %UserProfile%\AppData\Roaming\Settings folder as well.
When finished, it will execute the decryptor program program, which states "Data on this device were locked" and through a three step process, explains how to pay the ransom. Victim's can also select 30 different languages for the decryptor screen display instructions.
This programs requires a victim to enter their email address and then make a payment to the specified bitcoin address. The program then states that the password will be sent to the victim after the payment has been made.
As the program is further analyzed, if there is any additional information I will be sure to update this article.