Rich? This ransomware will charge you more to unlock your encrypted files

The 'Fatboy' ransomware automatically alters its demand depending on the prosperity of the country of the victim.
Written by Danny Palmer, Senior Writer

Fatboy ransomware note demanding payment.

Image: Recorded Future

A new form of ransomware is automatically adjusting its ransom demand for unlocking decrypted files depending on where in the world the victim is, with targets in richer parts of the globe forced to pay higher rates.

Discovered by cybersecurity researchers at Recorded Future, the charmingly-named Fatboy ransomware first emerged on a Russian cybercriminal forum in March, offered as a ransomware-as-a-service product complete with support and guidance and a dashboard allowing users to track infection statistics.

It's likely the author of this new strain of ransomware has opted to provide service directly to users in this way in an effort to build up trust with potential clients.

"It's meant to add a level of transparency to gain the trust of partners or customers looking to buy this product. Ransomware is very much like any business; you have to gain the trust of the clients, so a lot of the time cybercriminals will get other members of forums to vouch for their products," Recorded Future's Diana Granger told ZDNet.

What differentiates Fatboy from other forms of ransomware is its payment scheme, which is designed to ensure targets are encouraged to pay up by adjusting the ransom depending on which county they're in - a tactic designed to ensure the maximum amount of payments possible are extorted.

The payment scheme itself seems to have taken its idea from The Economist's Big Mac Index, a currency valuation and comparison and global exchange rates tool which compares prices of items across the globe. For example, the average cost of a Big Mac in the US as of January 2017 was as $5.06, while the exact same item cost $2.83 in China when exchange rates are taken into account.

Incorrectly cited as 'The McDonald's Index' by Fatboy's author, it ultimately means that victims in certain countries like regions like the US or Sweden will be forced to pay more than victims in Egypt or India in order to retrieve their files.

Essentially it all forms part of a balancing act; if the ransom is too low, the criminal won't make money - too high and they won't receive anything so, they may as well not have bothered.

"It's important for malware to be effective; it's helpful for threat actors to know more about their victim and this is a quick way to tailor the malware to the victim," said Granger.

Those who fall victim to Fatboy find themselves faced with a ransom note demanding a payment of Bitcoin and the threat of their files being permanently deleted if payment isn't received within four days of the infection - a common technique designed to scare the victim into paying up.

While Fatboy has only made its author just over $5,000 since they started leasing it out around a month ago the automatic price adjustment marks another stage of evolution in the form of ransomware and something designed to squeeze the highest possible realistic payment out of victims.

Ransomware has become one of the biggest menaces on the web. A ZDNet guide contains everything you need to know about it: how it started, why it's booming, how to protect against it, and what to do if your PC suffers an attack.


Editorial standards