Fatboy Ransomware as a Service (RaaS) Sets The Ransom Amount Based on the Victims’ Geographic Location

Two months back, a member of a Russian cyber criminal forum posted an advertisement for Ransomware-as-a-Service (RaaS) product, named as Fatboy. Fatboy Ransomware as a Service sets the ransom amount based on the victim’s geographic location.

According to Recorded Future, a leading threat intelligence company, the advertisement for Fatboy was posted by a member called polnowz.

The advertiser describes Fatboy as a partnership, offering guidance as well as support through Jabber. Although there was no feedback from the hacking community, a reputable member of the forum had offered to help Polnowz with translation in the product.

As mentioned earlier, the most interesting feature of the Fatboy RaaS is the fancy way it uses to set the ransom amount.

“The Fatboy ransomware is dynamic in the way it targets its victims; the amount of ransom demanded is determined by the victim’s location,” says Recorded Future’s Diana Granger.

“According to polnowz, Fatboy uses a payment scheme based on The Economist’s Big Mac Index (cited as the “McDonald’s Index” in the product description), meaning that victims in areas with a higher cost of living will be charged more to have their data decrypted.”

People who want to be partners of the author, polnowz, could get their cut immediately after the victim pays the ransom. It is estimated that since 7th February, 2017, the author of Fatboy has managed to earn at least $5,321 USD from his ransomware campaigns.

Once on the targeted computers, the Fatboy RaaS encrypts important files of the victims & then it displays a ransom note, warning that their file would be completely lost if the user does not meet the deadline to pay the ransom amount.

This ransomware is written in C++ & it works on all Windows OS versions for both x64 as well as x84 architectures. It uses an AES-256 encryption algorithm, it targets over 5000 file extensions, & a key for each victim, encrypted with RSA-2048. Also, this RaaS features a helpful partner panel that shows statistics by country & time as well as full information about each infected machine.

“The level of transparency in the Fatboy RaaS partnership may be a strategy to quickly gain the trust of potential buyers. Additionally, the automatic price adjustment feature shows an interest in customizing malware based on the targeted victim.” – concludes Recorded Future – “Organizations should be aware of the adaptability of Fatboy, as well as other ransomware products, and continuously update their cyber security strategies as these threats evolve.”