Discovered on Exploit, a Russian hacking forum, a new kind of RaaS (ransomware-as-a-service) portal named Fatboy Ransomware has emerged. The service, which is currently available for cybercriminals on the forum to leverage for their own benefit, is unique because it’s programmed to change its ransom amount based on the victim’s location, raising the amount in countries with a higher cost of living, based on the Big Mac Index.
The Big Mac Index, first introduced by The Economist in the 1980s, was meant to innocently gauge currency misalignment, but has grown to become a global standard for measuring international purchasing power parity. And now, is being used by a threat actor using the handle “polnowz,” who has apparently already made $5,321 in ransomware payments off the tool. The cybercriminal also seems to be all about transparency, as anyone that signs up for Fatboy will work directly via Jabber with the author of the product instead of a third-party distributor.
And though it is the first known online extortion product that is designed to automatically change ransom amounts based on the victim’s location, this threat comes as no surprise. Cybercriminals are mostly financially motivated, so it is expected that we see business models that facilitate increased profit. This specific financially-motivated model, ransomware-as-a-service, has been around since at least mid-2015, and was popularized by Tox, a short-lived ransomware service.
So, how does this particular case of RaaS work? The encryption algorithms used are standard, leveraging AES-256 and RSA-2048 and an offsite private key storage until the ransom is paid. And when it comes to RaaS, the buyer is generally responsible for delivering the payload while the developer hosts other services. As such, the method of delivery can be numerous. If the buyer of the portal wants to check in on the results of such delivery, they can log into an online panel for infection statistics. Other malware services have seen success by adding user friendly features such as these panels.
Fatboy is not particularly sophisticated as a malware sample, but it is a good indicator that the ransomware business model for cybercriminals is still working. As long as there are sufficient profits, we will see more offerings, tools, and support for cybercriminals without the skills or time to develop their own ransomware.
Now, the next step is to think about protection. Users should keep their security products up-to-date and engage in good security behaviors. As for IT professionals, they should be watching for artifacts of this ransomware. While the infection is generally an executable, Python is used during encryption, so be on the lookout for suspicious activity with .pyc and .pyd files.
And if you do become infected by Fatboy ransomware, No More Ransom has come together to pull together a plethora of decryption tools victims can leverage, which you can find here. Also, learn more about preventing ransomware, here.