Shark Ransomware Project is a ransomware that is part of RaaS(Ransomware as a Service). The Shark Ransomware Project offers would-be criminals the ability to create their own customized ransomware without needing any technical experience and by simply filling out a form and clicking a button. For this service, the Shark RaaS developers keep 20% of the ransom payments and give the rest of the payment to the distributor/affiliate.

The Shark Ransomware Project went live sometime in July 2016 and is hosted on a publicly accessible WordPress site rather than being hosted on TOR. This is very unusual, as RaaS and ransomware developers typically host their sites on the TOR anonymizing network so it is harder for the authorities to identify them.


Any wannabe ransomware distributors can simply visit the site and click on the download button in order to download a zip file called The downloaded ZIP file will contain the ransomware configuration builder, called Payload Builder.exe, a warning note called Readme.txt, and the ransomware executable Shark.exe. Downloaders can now run the Payload Builder.exe to start generating a custom configuration that will be used by the included ransomware as described in the next section.  

Most Ransomware as a Service offerings use the developer's web site to configure the executable and then download the customized ransomware. Shark does it differently by providing a base ransomware executable and then allowing would-be criminals to create their own configs that change the functionality of the ransomware.

The Shark Ransomware Project offers numerous examples showing how to configure the ransomware. These configuration options include the folders to encrypt, the file types to target, the countries to target, how much to charge each country, and an email adress that will be used to send notifications when the ransomware is installed.

When the configuration is entered, a base64 version of the configuration will be generated. This code is then used as an argument to the Shark.exe to specify that the custom configuration that should be used.

When finished, it will execute the decryptor program program, which states "Data on this device were locked" and through a three step process, explains how to pay the ransom. Victim's can also select 30 different languages for the decryptor screen display instructions.