Fatboy Ransomware-as-a-Service Emerges on Russian-Language Forum
Get Trending Threat Insights with Cyber Daily Subscribe Today

Fatboy Ransomware-as-a-Service Emerges on Russian-Language Forum

May 4, 2017 • Diana Granger

On March 24, 2017, a member of a top-tier Russian cyber criminal forum posted an advertisement for “Fatboy,” a new ransomware-as-a-service (RaaS) product.

The advertiser, operating under the username “polnowz,” describes Fatboy as a partnership, offering support and guidance through Jabber. While the RaaS has not yet received any endorsements or feedback from the hacking community, on March 26, “ilcn,” a reputable member of the forum, offered to assist polnowz with translation in the product.

Fatboy Ransomware Table Results

Query results for “Fatboy Ransomware” in Recorded Future show posts by polnowz and ilcn about Karmen.

Background

The Fatboy ransomware is dynamic in the way it targets its victims; the amount of ransom demanded is determined by the victim’s location.

According to polnowz, Fatboy uses a payment scheme based on The Economist’s Big Mac Index (cited as the “McDonald’s Index” in the product description), meaning that victims in areas with a higher cost of living will be charged more to have their data decrypted.

Big Mac Index

The Economist invented the Big Mac Index in 1986 as a tool for explaining exchange-rate theory.

Purchasers of the Fatboy RaaS partner directly with the author of the malware and not through a third-party vendor. Potential partners also receive payment instantly when a victim pays their ransom, adding another level of transparency to this partnership.

Fatboy Ransomware Earnings

Since February 7, 2017, the author of the Fatboy RaaS has purportedly earned at least $5,321 USD from their own ransomware campaigns using this product.

Fatboy Ransomware Warning Message

A computer infected with the Fatboy malware will display the above message, explaining that the user’s files have been encrypted, stating the ransom amount, and warning the user against interfering with the ransomware.

The following is the description of Fatboy RaaS by polnowz:

We invite you to take part in a partnership for the monetization of downloads with help of the Fatboy encryption software. Limited partnership.

Product Description

  • Base load 15.6 kB, written in C++
  • Active cryptolocker development and support
  • Works on all Windows OS x86/x64
  • Multi-language user interface (12 languages)
  • Encrypts every file with AES-256 with individual keys, then, all keys are encrypted with RSA-2048
  • Comfortable partner panel with full statistics by country and time
  • Detailed information on each individual client is in the partner panel
  • Scans all disks and network folders
  • New Bitcoin wallet number for each client
  • Software deletes after payment
  • Instant transfer of funds to the partner after the victim pays for decryption
  • Automatic file decryption after payment
  • Support for more than 5000 file extensions
  • Automatic price adjustment depending on the country’s living standards (McDonald’s Index)
  • Extended help with step-by-step instructions for payment

Partner Details

  • Support and guidance for partners through Jabber (OTR)
  • Conversion level of partner traffic makes up 3-15% of overall downloads
  • Partner program requires access to the admin panel

Requirements

  • Reasonable quality installs in reliable volumes
  • Doesn’t work in the Commonwealth of Independent States
  • There are no other bundles or ways to download

Conclusion

The level of transparency in the Fatboy RaaS partnership may be a strategy to quickly gain the trust of potential buyers. Additionally, the automatic price adjustment feature shows an interest in customizing malware based on the targeted victim.

Organizations should be aware of the adaptability of Fatboy, as well as other ransomware products, and continuously update their cyber security strategies as these threats evolve.

New call-to-action

Related Posts

Shining a Light on RedLine Stealer Malware and Identity Data Found in Criminal Shops

Shining a Light on RedLine Stealer Malware and Identity Data Found in Criminal Shops

October 14, 2021 • Ellen Wilson

As threat actors continue to expand their attack surface - with cloud systems and supply chain...

How to Detect Cobalt Strike: An Inside Look at the Popular Commercial Post-Exploitation Tool

How to Detect Cobalt Strike: An Inside Look at the Popular Commercial Post-Exploitation Tool

September 14, 2021 • Jake Munroe

Throughout history there are many examples of inventions created with good intentions (and maybe...

Why Monitoring the Dark Web is Essential for Third-Party Risk Management

Why Monitoring the Dark Web is Essential for Third-Party Risk Management

May 13, 2021 • Trevor Lyness

The dark web is often portrayed as vast, mysterious, and out of reach for companies without...