Atom is a ransomware that is rebranded version of Shark. The Atom homepage still runs on WordPress, but unlike its predecessor, hides its admin panel login much better.

The biggest change between Atom and Shark is the new Atom Payload Builder, a downloadable EXE that allows crooks to compile their customized version of the Atom ransomware.

The main difference between the Atom builder and the old Shark one is that it generates a fully working payload executable, rather just a configuration code that was used as an argument to the Shark exe file. This greatly reduces the complexity of getting a ransomware build up and running for a distributor. 

After users compile their own version of the ransomware, they are free to decide on the distribution method they wish to use. Options include exploit kits, email spam, IM spam, and others. Atom devs don't provide any clues or hints as to how the payload should be distributed, but rather leave it up to their affiliates.

What they provide is a unique ransomware affiliate ID that is hardcoded inside their version of the Atom ransomware. The ID is sent to the Atom RaaS master server with each infection and allows the Atom team to track infections across different users.

Using this tracking code, an affiliate can view data about their installs inside a web panel that they can access from the Atom homepage. This panel shows the number of victims infected by an Atom variant with that particular ID, how many of the victims paid, and what amount of money the crook has earned.

Just like Shark, the Atom team requires a 20 percent cut from the ransom demand each victim pays. There is no guarantee that people entering this informal business agreement with the Atom team would ever receive their money. All Atom ransom payments are actually sent to the Bitcoin wallet controlled by the Atom team, which then "promises" to redirect money to its users.


When an Atom ransomware infection takes hold, the ransomware starts an EXE file which doubles as the ransom note and the ransomware decrypter.

The ransomware locks the user's files via the AES-256 algorithm and uses HTTPS to send the decryption key and a unique victim ID to the RaaS C&C servers.

This initial beacon also includes the settings customized by each RaaS user, such as the ransomware campaign ID, the ransom decryption fee, and the crook's Bitcoin address.

Though the Atom service offers a professional looking web site, its focus seems to be the availability of its service to as many crooks as possible.