Security Experts:

"Fatboy" Ransomware-as-a-Service Sets Ransom Based on Victim Location

A newly discovered ransomware-as-a-service (RaaS) has a dynamic method of setting the ransom amount based on the victim’s location, Recorded Future reports.

Dubbed Fatboy, the malware was first spotted on March 24 on a top-tier Russian cyber-criminal forum, where a member started advertising it as a partnership, while also promising support and guidance through Jabber. Two days later, a reputable member of the forum offered to assist the malware author with translation in the product.

The ransomware’s author claims that a payment scheme based on The Economist’s Big Mac Index is used, “meaning that victims in areas with a higher cost of living will be charged more to have their data decrypted,” Recorded Future’s Diana Granger explains.

Wannabe criminals interested in the Fatboy RaaS would partner directly with the author, without going through a third-party vendor. They are also promised instant payments when the victim pays the ransom, which would supposedly add an extra level of transparency to the partnership.

While not a large sum, the Fatboy author supposedly earned more than $5,000 using this malware since February 7, 2017.

On infected computers, the ransomware displays a message explaining to the user that their files have been encrypted. The message also informs the victim what ransom amount has been set and warns them not to interfere with the malware’s activities. The message also claims that user’s files would be completely lost if the ransom isn’t paid within a specific period of time.

In their description of the Fatboy RaaS, the author claims the malware was written in C++, and works on all Windows versions (x86/x64). Additionally, cryptolocker development and support are included in the partnership, and a multi-language user interface with support for 12 languages is available. The author also says that the threat can scan all disks and network folders and that it can encrypt every file with AES-256 with an individual key and that all keys are encrypted with RSA-2048.

The author claims they use a new Bitcoin wallet number for each client, that the malware automatically decrypts files and deletes itself after payment, and that it can target more than 5000 file extensions. The partner panel, they say, offers full statistics by country and time, along with detailed information on each individual client.

“The level of transparency in the Fatboy RaaS partnership may be a strategy to quickly gain the trust of potential buyers. Additionally, the automatic price adjustment feature shows an interest in customizing malware based on the targeted victim. Organizations should be aware of the adaptability of Fatboy, as well as other ransomware products, and continuously update their cyber security strategies as these threats evolve,” Granger notes.

Related: New Cerber Ransomware Variant Emerges

Related: New Unlock26 Ransomware and RaaS Portal Discovered

Related: Sage 2.0 Ransomware Demands $2,000 Ransom

view counter