Fatboy Ransomware as a Service sets the ransom based on the victims’ location

Pierluigi Paganini May 08, 2017

Recently discovered Fatboy ransomware implements a dynamic method of setting the ransom amount based on the geographic location of the victims.

Ransomware continues to monopolize the threat landscape, recently security experts have observed numerous evolution of this specific family of malware.

A newly discovered ransomware-as-a-service (RaaS), dubbed Fatboy, implements a dynamic method of setting the ransom amount based on the geographic location of the victims.

Fatboy ransomware Ransomware-as-a-Service

According to threat intelligence firm Recorded Future, the Fatboy ransomware was first discovered on March 24 on a top-tier Russian cyber-criminal forum.

The alleged malware author that goes online with the moniker “polnowz” was advertising the threat on the forum as a partnership, offering support and guidance through Jabber. A few days later, a reputable member of the forum offered to assist the author with translation in the product.

The most interesting feature of this ransomware is the payment scheme based on The Economist’s Big Mac Index, this implies that victims will pay a different ransom depending on the cost of living of their region.

“The Fatboy ransomware is dynamic in the way it targets its victims; the amount of ransom demanded is determined by the victim’s location.” reads the analysis published by Recorded Future.

“According to polnowz, Fatboy uses a payment scheme based on The Economist’s Big Mac Index (cited as the “McDonald’s Index” in the product description), meaning that victims in areas with a higher cost of living will be charged more to have their data decrypted.”

Fatboy ransomware

Crooks that intend to be partners of the author can benefit from instant payments when the victim pays the ransom.

Since February 7, 2017, the author of the Fatboy ransomware supposedly earned at least $5,321 USD from his ransomware campaigns.

On infected computers, the ransomware displays a ransom note that warns victims that their files would be completely lost if the ransom isn’t paid within a specific period.

Fatboy ransomware is written in C++ and works on all Windows OS versions for both x86 and x64 architectures.

The malware target more than 5000 file extensions and it uses AES-256 encryption and a key for each victim that is encrypted with RSA-2048.

Below the product description shared by Recorded Future:

  • Base load 15.6 kB, written in C++
  • Active cryptolocker development and support
  • Works on all Windows OS x86/x64
  • Multi-language user interface (12 languages)
  • Encrypts every file with AES-256 with individual keys, then, all keys are encrypted with RSA-2048
  • Comfortable partner panel with full statistics by country and time
  • Detailed information on each individual client is in the partner panel
  • Scans all disks and network folders
  • New Bitcoin wallet number for each client
  • Software deletes after payment
  • Instant transfer of funds to the partner after the victim pays for decryption
  • Automatic file decryption after payment
  • Support for more than 5000 file extensions
  • Automatic price adjustment depending on the country’s living standards (McDonald’s Index)
  • Extended help with step-by-step instructions for payment

The FatBoy RaaS implements a user-friendly partner panel that includes statistics by country and time, and of course detailed information related to each infected machine.

“The level of transparency in the Fatboy RaaS partnership may be a strategy to quickly gain the trust of potential buyers. Additionally, the automatic price adjustment feature shows an interest in customizing malware based on the targeted victim.” concludes Recorded Future.

“Organizations should be aware of the adaptability of Fatboy, as well as other ransomware products, and continuously update their cyber security strategies as these threats evolve.”

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –  Fatboy ransomware, malware)

[adrotate banner=”13″]



you might also like

leave a comment