Fatboy Ransomware-as-a-Service Emerges on Russian-Language Forum

May 4, 2017 • Diana Granger

On March 24, 2017, a member of a top-tier Russian cyber criminal forum posted an advertisement for “Fatboy,” a new ransomware-as-a-service (RaaS) product.

The advertiser, operating under the username “polnowz,” describes Fatboy as a partnership, offering support and guidance through Jabber. While the RaaS has not yet received any endorsements or feedback from the hacking community, on March 26, “ilcn,” a reputable member of the forum, offered to assist polnowz with translation in the product.

Fatboy Ransomware Table Results

Query results for “Fatboy Ransomware” in Recorded Future show posts by polnowz and ilcn about Karmen.

Background

The Fatboy ransomware is dynamic in the way it targets its victims; the amount of ransom demanded is determined by the victim’s location.

According to polnowz, Fatboy uses a payment scheme based on The Economist’s Big Mac Index (cited as the “McDonald’s Index” in the product description), meaning that victims in areas with a higher cost of living will be charged more to have their data decrypted.

Big Mac Index

The Economist invented the Big Mac Index in 1986 as a tool for explaining exchange-rate theory.

Purchasers of the Fatboy RaaS partner directly with the author of the malware and not through a third-party vendor. Potential partners also receive payment instantly when a victim pays their ransom, adding another level of transparency to this partnership.

Fatboy Ransomware Earnings

Since February 7, 2017, the author of the Fatboy RaaS has purportedly earned at least $5,321 USD from their own ransomware campaigns using this product.

Fatboy Ransomware Warning Message

A computer infected with the Fatboy malware will display the above message, explaining that the user’s files have been encrypted, stating the ransom amount, and warning the user against interfering with the ransomware.

The following is the description of Fatboy RaaS by polnowz:

We invite you to take part in a partnership for the monetization of downloads with help of the Fatboy encryption software. Limited partnership.

Product Description

  • Base load 15.6 kB, written in C++
  • Active cryptolocker development and support
  • Works on all Windows OS x86/x64
  • Multi-language user interface (12 languages)
  • Encrypts every file with AES-256 with individual keys, then, all keys are encrypted with RSA-2048
  • Comfortable partner panel with full statistics by country and time
  • Detailed information on each individual client is in the partner panel
  • Scans all disks and network folders
  • New Bitcoin wallet number for each client
  • Software deletes after payment
  • Instant transfer of funds to the partner after the victim pays for decryption
  • Automatic file decryption after payment
  • Support for more than 5000 file extensions
  • Automatic price adjustment depending on the country’s living standards (McDonald’s Index)
  • Extended help with step-by-step instructions for payment

Partner Details

  • Support and guidance for partners through Jabber (OTR)
  • Conversion level of partner traffic makes up 3-15% of overall downloads
  • Partner program requires access to the admin panel

Requirements

  • Reasonable quality installs in reliable volumes
  • Doesn’t work in the Commonwealth of Independent States
  • There are no other bundles or ways to download

Conclusion

The level of transparency in the Fatboy RaaS partnership may be a strategy to quickly gain the trust of potential buyers. Additionally, the automatic price adjustment feature shows an interest in customizing malware based on the targeted victim.

Organizations should be aware of the adaptability of Fatboy, as well as other ransomware products, and continuously update their cyber security strategies as these threats evolve.