'Fatboy' ransomware uses a location-based charging model

A new ransomware-as-a-service product named 'Fatboy' has been advertised on Russian language forums. What makes it different is the way it uses a sliding scale to charge its victims.

Threat intelligence company Recorded Future has revealed that Fatboy uses the Economist's Big Mac Index -- designed to explain exchange rates -- to ensure victims in areas with a higher cost of living will be charged more to decrypt their data.

The business model is also interesting in that purchasers deal directly with the author of the malware and not through a third party as many other cyber criminals prefer. These partners also receive payment instantly when a victim pays their ransom, adding another level of transparency to the partnership.

Diana Granger, of Recorded Future's threat intelligence team says, "Purchasers of Fatboy RaaS partner directly with the author of the product, whereas a lot of cyber criminals like to use a third-party for security. This most likely means there's a restriction on the number of licenses so that the author can meet demand. The model used is much like any other business."

Since February 7, 2017, the author of the Fatboy RaaS has purportedly earned at least $5,321 from running their own ransomware campaigns using the product. The malware encrypts every file with AES-256 with individual keys, then all keys are encrypted with RSA-2048, and the program supports over 5,000 file extensions.

"A few years ago there wasn't much of a guarantee you would get your files back if you paid the ransom. Criminals are now proving the decryption aspect of their products in order to get people to pay up," adds Granger.

Although instances so far have mainly targeted North America, Fatboy's interface is translated into 12 languages so it has the potential to work worldwide.

More details are available on the Recorded Future blog.

Photo credit: Ton Snoei / Shutterstock