Skip to content ↓ | Skip to navigation ↓

Shark ransomware has rebranded itself as the Atom ransomware affiliate program but has kept a favorable payment model to attract criminal customers.

First detected on 15 August, 2016, Shark is a ransomware-as-a-service (RaaS) platform that allows computer criminals with low levels of technical expertise to sit at the adult table and distribute crypto-malware.

shark-1
Shark ransomware builder (Source: Symantec)

Shark attempts to gain an edge over other RaaS models, such as Stampado and Philadelphia, by using a payment model that favors the distributors over the ransomware’s original author.

As researchers at Symantec Security Response explain in a blog post:

“The developers say payment is fully automated and they will take a 20 percent cut from any ransoms paid. Payment is centralized, meaning any ransom payment is made directly to the developers, who then promise to pass on the attackers’ 80 percent cut.”

Hmm…that’s a big promise to make, a claim which Softpedia’s Catalin Cimpanu pointed out as “scammy-looking.”

But Shark’s developers have big plans for their ransomware. That’s why they decided to rebrand Shark as Atom and outfit it with a host of new features.

at0m1
Source: Fortinet

First, computer criminals can customize Atom using an a GUI interface instead of the command line.

at0m3
Source: Fortinet

Second, Atom creates a unique tracking ID for each customer. This feature helps the authors monitor each affiliate’s progress so that the distributor gets paid first under the original Shark payment model.

Rommel Joven, a junior antivirus analyst at Fortinet, confirms that point:

“When the encryption process is completed, it executes its dropped decryptor and provides the victim with instructions for decrypting their files. The bitcoin address shown is that of the developer, which guarantees that they get their cut first, with the promise to automatically transfer the rest to the affiliate’s bitcoin wallet.”

at0m13
Source: Fortinet

Those changes notwithstanding, Cimpanu remains skeptical about Shark’s (now Atom’s) legitimacy:

“We called this ransomware operation ‘scammy’ in our first report, and we still stand by that opinion. The ransomware still requires victims to make Bitcoin ransom payments to Atom’s creator Bitcoin wallet, with no guarantee that Atom subscribers will receive their 80 percent cut. At any time Atom’s creator can have a change of heart and shut down his operation, keeping a big chunk of the funds.”

What’s clear is the fact that Atom’s proposed payment model will attract a number of computer criminals to its affiliate program, which means infections are likely to spike in the near future. With that in mind, users should back up their critical data, avoid clicking on suspicious links and URLs, keep their systems up-to-date, and follow other ransomware prevention tips.

They can also learn more about ransomware here.