- Oct 23, 2012
- 12,527
The Shark Ransomware Project has recently rebranded and switched to a new domain in an attempt to start from scratch, calling itself Atom - a ransomware affiliate program.
The change comes after a series of news articles that gave it a bad reputation, including ours, published last month, in which we called it "scammy-looking."
When it appeared, Shark was unique among other RaaS (Ransomware-as-a-Service) offerings because it used a website hosted on the public Internet, instead of Tor, like most of its rivals.
Shark was offering users a ransomware builder that allowed them to create their own Shark ransomware version. Crooks could customize Shark to their liking, and then use spam or exploit kits to infect victims.
Users paying the ransom would send the money to Shark's creator Bitcoin wallet, who would keep 20 percent and forward the rest to the person who infected the victim.
Atom comes with a GUI payload builder
Accessing Shark's website today, we get redirected to a new website promoting the Atom ransomware affiliate program.
The change comes after a series of news articles that gave it a bad reputation, including ours, published last month, in which we called it "scammy-looking."
When it appeared, Shark was unique among other RaaS (Ransomware-as-a-Service) offerings because it used a website hosted on the public Internet, instead of Tor, like most of its rivals.
Shark was offering users a ransomware builder that allowed them to create their own Shark ransomware version. Crooks could customize Shark to their liking, and then use spam or exploit kits to infect victims.
Users paying the ransom would send the money to Shark's creator Bitcoin wallet, who would keep 20 percent and forward the rest to the person who infected the victim.
Atom comes with a GUI payload builder
Accessing Shark's website today, we get redirected to a new website promoting the Atom ransomware affiliate program.
Under the hood, Atom works almost the same way as Shark. It offers a payload builder and uses the same 80-20 percent cut as Shark did before being taken down.
The glaring change is that Atom uses a nice graphical user interface to build the ransomware. Shark previously used a terminal-based builder with users having to pass customization settings via command-line options.
Atom now includes a web panel for displaying campaign statistics
This builder generates the ransomware payload, the final EXE file that crooks need to deliver to victims, but also prints out a ransomware campaign ID.
Crooks deploying the Atom ransomware can enter this ID on the Atom website and access a web panel that shows details about the number of infected victims and earned money.
We called this ransomware operation "scammy" in our first report, and we still stand by that opinion. The ransomware still requires victims to make Bitcoin ransom payments to Atom's creator Bitcoin wallet, with no guarantee that Atom subscribers will receive their 80 percent cut. At any time Atom's creator can have a change of heart and shut down his operation, keeping a big chunk of the funds.
In a report released today, Fortinet took a look at how a typical Atom ransomware infection works. You'll find technical details regarding Atom's C&C server communications, not included in this article.