A newly discovered Ransomware-as-a-Service (RaaS), named Fatboy, relies on a very interesting method to determine the ransom amount victims should pay. The sum is set based on the geographical locations of the targeted users, meaning that victims who live in areas with higher cost of living will pay heftier sums to recover their files that others.
According to the threat intelligence company Recorded Future, Fatboy RaaS was first noticed on 24th May of a top-tier Russian cyber-criminal forum. The person who is supposed to be behind this new RaaS goes by the nickname of “polnowz” and was advertising their product on the forum. The author was also offering guidance and offline support for their partners through Jabber. A couple of days later, a member of the forum offered polnowz their help with the translation of the threat.
As we already mentioned, the most eye-catching feature of the Fatboy RaaS is the method it uses to set the ransom amount. It is based on The Economist`s Big Mac Index where the ransom sum is set according to the victims` locations. Victims from regions with a higher cost of living will be charged more for their locked data.
“The Fatboy ransomware is dynamic in the way it targets its victims; the amount of ransom demanded is determined by the victim’s location.” – reads the analysis published by Recorded Future. – “According to polnowz, Fatboy uses a payment scheme based on The Economist’s Big Mac Index (cited as the “McDonald’s Index” in the product description), meaning that victims in areas with a higher cost of living will be charged more to have their data decrypted.”
People who want to join the RaaS with polnowz could receive their cut immediately after the victim makes the payment. It is supposed that the author of Fatboy has managed to earn at least $5,321 USD since February 7th this year.
Once on the targeted machine, Fatboy encrypts victims` files and then displays a ransom note, stating that said file would be deleted if the user doesn’t meet the deadline to pay the ransom.
This ransomware is written in C++ and it works on all Windows OS versions for both x64 and x84 architectures. Fatboy uses an AES-256 encryption algorithm, it targets more than 5000 file extensions, and a key for each victim, encrypted with RSA-2048. The RaaS also features a helpful partner panel that shows statistics by time and country as well as detailed information about each infected computer.
“The level of transparency in the Fatboy RaaS partnership may be a strategy to quickly gain the trust of potential buyers. Additionally, the automatic price adjustment feature shows an interest in customizing malware based on the targeted victim.” – concludes Recorded Future – “Organizations should be aware of the adaptability of Fatboy, as well as other ransomware products, and continuously update their cyber security strategies as these threats evolve.”