Serbian security researcher GrujaRS shared with Softpedia a ransomware project called Shark, freely distributed on the Deep Web, but which appears to be a scam at a closer inspection, even if it produces valid and running ransomware payloads.

Anyone can download a version of the Shark builder from the Shark Ransomware Project's homepage, which is not on the Dark Web (Tor/I2P), nor is it freely reachable via Google, being on that section of the public Internet where search and indexing bots can't reach it.

Users get a ZIP file (which appears to be carrying a secret friend) that unpacks into three files: ReadMe.txt, Payload Builder.exe, and Shark.exe. The ReadMe.txt file reads:

“ Attention! We recommend you to use a virtual machine when working with this files. And do not run payload.exe on your PC. Good luck! ”

Shark comes with an easy-to-use ransomware payload builder

According to the description on its site, wannabe crooks can use the builder to choose the file formats to encrypt during an attack, the folders to target, the crook's Bitcoin wallet, and the ransom fee to ask the victims.

The builder is pretty well put together, providing the user with the ability to use country-based filters for the ransom fee.

Users can also insert the email address at which they can contact the ransomware author, shown in ransom notes.

Shark ransomware payload builder

The people behind Shark claim their ransomware is also fully translatable and undetectable by antivirus makers.

At this point, you might be asking yourself why someone is offering a free ransomware builder. The answer is simple.

The Shark ransomware uses a centralized payment system through which the crook gets to keep 20 percent of all ransom payments and then redirects the rest to the people who distributed it.

"50% of the distribution would not be tempting, but 80% sounds good," GrujaRS tells Softpedia. "Unfortunately, many young people will not resist the challenge. Unfortunately, this evil has no end. Pandora's box is open."

Shark ransom note

Taking into account that Shark's promotional campaign was based on spamming and getting banned from underground hacking forums like Megatop, this looks more like a scam than anything else, with some crook trying to fool cybercrime newcomers into distributing his malware and keeping all the profits.

Nevertheless, there's an argument to be made for the crooks who do follow the "There is honor among thieves" code.

"Look from the perspective of who will enter the ransomware distribution will not be an amateur," GrujaRS adds. "This is someone who has experience in these matters, and is difficult to cheat."

Despite the shady distribution model with no guarantees for the distributors, what we know is that the Shark builder generates fully working ransomware payloads.

Below we present a YouTube video showcasing the Shark ransomware infection process, courtesy of GrujaRS.