Fatboy ransom prices use BigMac index
Fatboy ransom prices use BigMac index

The malware, discovered by Recorded Future and dubbed “Fatboy”, uses The Economist's Big Mac Index as a reference. The ransomware changes the amount of money it charges, so that victims in areas with a higher cost of living will be charged more to have their data decrypted.

The ransomware was posted on a Russian cyber-criminal forum by someone operating under the username “polnowz”, offering customer support and guidance.

In a blog post, Diana Granger, the researcher who discovered Fatboy, said purchasers of the Fatboy RaaS partner directly with the author of the malware and not through a third-party vendor.

“Potential partners also receive payment instantly when a victim pays their ransom, adding another level of transparency to this partnership,” she said.

She added that since February, the malware author has claimed to have earned at least US$ 5,000 (£3,866) from running the campaign themselves.

A computer infected with the Fatboy malware will display a message, explaining that the user's files have been encrypted, stating the ransom amount, and warning the user against interfering with the ransomware.

“The level of transparency in the Fatboy RaaS partnership may be a strategy to quickly gain the trust of potential buyers. Additionally, the automatic price adjustment feature shows an interest in customising malware based on the targeted victim,” she said.

“Organisations should be aware of the adaptability of Fatboy, as well as other ransomware products, and continuously update their cyber-security strategies as these threats evolve.”

Andy Norton, risk Officer – EMEA at SentinelOne told SC Media UK that crimeware in general as a service, is not going away.

“The underworld groups have always provided niche services to each other, providing a ransomware payload and backend payment systems to spammer groups looks to be the intention here.” 

“It means criminals are simply being topical and following tactics that are successful in producing cash. The owner off this service ‘polnowz' has been previously associated with botnets and banking Trojans,” he added.

Liviu Arsene, senior E-Threat analyst at Bitdefender, told SC that it's not the first time ransomware has been asking for custom ransom notes based on the victim's geolocation.

“The one purchasing the RaaS can even customise the language in which the ransom note is written, the amount it demands based on the victim's geolocation, the encryption used to communicate with the C&C server, and even set up bitcoin wallets. Customising all that and more is as easy as visiting a webpage and simply modifying fields in a webpage, with no technical expertise required,” he said.

Aatish Pattni, head of Threat Prevention for Northern Europe at Check Point, said that it was likely we will see more Ransomware-as-a-service in the future.

“In summer 2016, Cerber, the world's biggest ransomware-as-a-service scheme at the time, had over 160 active campaigns running, targeting 150,000 users in 201 countries and generating profits of US$ 195,000 (£150,800) during the month.  It's a big and growing franchise operation, with the ransomware developer recruiting affiliates who spread the malware further for a cut of the profits,” he said.