New Fatboy Ransomware-as-a-Service Advertised on Russian Hacking Forum

[CrAKeN]

A new Ransomware-as-a-Service (RaaS) portal is being advertised on an underground hacking forum, primarily used by Russian-speaking criminals.

 

Named Fatboy, the service is being promoted by a Russian-speaking criminal named polnowz, who started offering access to the service on March 24.

 

As the initial RaaS ad attracted its first inquisitive customers, a day later, the first Fatboy sample hit VirusTotal and was picked up by researchers.

 

While not featuring any new groundbreaking exploits or tactics, the Fatboy ransomware stood out mainly by the ransom note wallpaper, very similar to the one used by Critroni and CTB-Locker, and by its verbose and lengthy HTML ransom notes, which doubled as instructions and guides for infected victims.

 

 

Spoiler

 

 

 

 

 

 

 

 

 

 

 

 

 

 

But probably the feature that stood out the most was how Fatboy calculates the ransom demand for infected victims. This is done by determining the victim's IP, detecting the country to which that IP is assigned, and then using the Big Mac Index to show the final ransom sum.

 

The Big Mac Index, also known as the McDonald's Index, is a financial index created by The Economist, a financial newspaper, that orders countries based on their purchasing power, by analyzing the prices of a Big Mac in each state.

 

Two days later after the initial Fatboy RaaS ad, a second forum user, named ilcn offered to help the crook spread the RaaS service to more people, by translating the original ad into English. Below is a copy obtained by threat intelligence firm Recorded Future.

We invite you to take part in a partnership for the monetization of downloads with help of the Fatboy encryption software. Limited partnership.

Product Description

    Base load 15.6 kB, written in C++
    Active cryptolocker development and support
    Works on all Windows OS x86/x64
    Multi-language user interface (12 languages)
    Encrypts every file with AES-256 with individual keys, then, all keys are encrypted with RSA-2048
    Comfortable partner panel with full statistics by country and time
    Detailed information on each individual client is in the partner panel
    Scans all disks and network folders
    New Bitcoin wallet number for each client
    Software deletes after payment
    Instant transfer of funds to the partner after the victim pays for decryption
    Automatic file decryption after payment
    Support for more than 5000 file extensions
    Automatic price adjustment depending on the country’s living standards (McDonald’s Index)
    Extended help with step-by-step instructions for payment

Partner Details

    Support and guidance for partners through Jabber (OTR)
    Conversion level of partner traffic makes up 3-15% of overall downloads
    Partner program requires access to the admin panel

Requirements

    Reasonable quality installs in reliable volumes
    Doesn’t work in the Commonwealth of Independent States
    There are no other bundles or ways to download

The ad doesn't list the percentage cut the Fatboy owner is taking from each victim, but unlike other RaaS portals that pay this cut at a later time, the Fatboy owner brags about delivering payments on the same day, an appealing detail for most potential clients.

 

But we have some good news as well. On Twitter, security researcher Michael Gillespie said there could be a way to unlock files encrypted by this new ransomware.

 

"Victims may contact me," said Gillespie, "I might be able to help with certain files if the need arises."

 

Source