{"id":7559,"date":"2017-05-08T10:31:02","date_gmt":"2017-05-08T18:31:02","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/05\/08\/news-1344\/"},"modified":"2017-05-08T10:31:02","modified_gmt":"2017-05-08T18:31:02","slug":"news-1344","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/05\/08\/news-1344\/","title":{"rendered":"Local cost of a Big Mac decides ransom amount for Fatboy ransomware"},"content":{"rendered":"<p><img decoding=\"async\" src=\"http:\/\/zapt4.staticworld.net\/images\/article\/2017\/03\/mcdonaldsbig-mac-100714075-large.3x2.jpg\"\/><\/p>\n<p><strong>Credit to Author: Darlene Storm| Date: Mon, 08 May 2017 09:33:00 -0700<\/strong><\/p>\n<p>Location, location, location \u2026 you\u2019ve heard it many times before but not when it comes to a ransomware deciding a ransom amount. Fatboy, a ransomware-as-a-service, is believed to be the first ransomware that automatically adjusts the ransom amount based on a victim\u2019s location.<\/p>\n<p>Just when you think you\u2019ve heard every conceivable ransomware demand \u2013 not just ransoms paid in bitcoins or other cryptocurrencies like <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/star-trek-themed-kirk-ransomware-brings-us-monero-and-a-spock-decryptor\/\" target=\"_blank\">Monero<\/a>, or <a href=\"http:\/\/www.computerworld.com\/article\/3060807\/security\/dogspectus-android-ransomware-silently-installs-demands-200-itunes-gift-card-ransom.html\" target=\"_blank\">paid in iTunes<\/a> or <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/truecrypter-ransomware-accepts-payment-in-bitcoins-or-amazon-gift-card\/\" target=\"_blank\">Amazon<\/a> gift cards, ransomware which costs nothing for decryption as long as you <a href=\"http:\/\/www.computerworld.com\/article\/3149489\/security\/ransomware-may-turn-victims-into-attackers-infect-2-others-and-decryption-is-free.html\" target=\"_blank\">infect two other people<\/a>, or even ransomware that <a href=\"http:\/\/www.computerworld.com\/article\/3187520\/security\/new-ransomware-demanded-high-score-on-anime-style-shooter-game-not-bitcoins.html\" target=\"_blank\">demands a high score on a shooter game<\/a> before decrypting drives \u2013 now there\u2019s a ransomware that charges victims based on the <a href=\"http:\/\/www.economist.com\/content\/big-mac-index\/\" target=\"_blank\">Big Mac Index<\/a>.<\/p>\n<p>\u201cFatboy\u201d is a new ransomware-as-a-service (RaaS) product discovered on Exploit, a Russian-language forum frequented by cybercriminals. Analysts at the threat intelligence firm Recorded Future said the ransom demand is not one set amount for all, but charges based on international exchange rates as it automatically adjusts the ransom demand based on where the victim lives.<\/p>\n<p>\u201cThe Fatboy ransomware is dynamic in the way it targets its victims; the amount of ransom demanded is determined by the victim\u2019s location,\u201d Recorded Future <a href=\"https:\/\/www.recordedfuture.com\/fatboy-ransomware-analysis\/\" target=\"_blank\">explained<\/a>. \u201cFatboy uses a payment scheme based on The Economist\u2019s Big Mac Index (cited as the \u2018McDonald\u2019s Index\u2019 in the product description), meaning that victims in areas with a higher cost of living will be charged more to have their data decrypted.\u201d<\/p>\n<p>The Big Mac Index was created 31 years ago to show how wealthy a nation is, if its currency is overvalued or undervalued, based on the prices of a Big Mac in that country. The Economist gives this example: \u201cThe average price of a Big Mac in America in January 2017 was $5.06; in China it was only $2.83 at market exchange rates. So the \u2018raw\u2019 Big Mac index says that the yuan was undervalued by 44% at that time.\u201d<\/p>\n<p>So, in the case of Fatboy, the victim\u2019s IP address is used to determine their country and then the ransom demand is automatically adjusted based on the cost of a Big Mac in that country. But the author of Fatboy is not exactly getting rich with this malware scheme; it first appeared in the forum on March 24 and analysts believed the author has earned roughly $5,321 since February.<\/p>\n<p>Wannabe cyber crooks who buy the Fatboy RaaS platform deal directly with the malware author via Jabber for \u201cextended help\u201d instead of a third-party vendor. The author urged people to take part in a \u201climited partnership.\u201d Those who do get paid \u201cinstantly\u201d when a victim coughs up the ransom, which Recorded Future says \u201cadds another level of transparency to this partnership.\u201d<\/p>\n<p>Other than customizing the malware with a sliding scale ransom demand, there is nothing particularly new about Fatboy. The ransomware is similar to others; it targets Windows machines, scans all disks and network folders, supports over 5,000 file extensions, inserts a ransom note after files have been encrypted, automatically decrypts after a person bows to extortion and pays, and then deletes from the system.<\/p>\n<p>Despite <a href=\"https:\/\/twitter.com\/malwrhunterteam\/status\/845664118807969794\" target=\"_blank\">warnings<\/a> by the malware author about using third-party tools to restore files encrypted by Fatboy, security researcher Michael Gillespie <a href=\"https:\/\/twitter.com\/demonslay335\/status\/845664698678886401\" target=\"_blank\">suggested<\/a> he \u201cmight be able to help\u201d if victims contacted him. That was back in March when the ransomware first started being detected; at this time, Fatboy can be <a href=\"https:\/\/www.virustotal.com\/en\/file\/80d402f38ff9849ea5e9f8a126e00f423ca1b4f1121c8059aebed8336bfc6f30\/analysis\/\" target=\"_blank\">detected<\/a> by a decent amount of various antivirus solutions.<\/p>\n<p><a href=\"http:\/\/www.computerworld.com\/article\/3195118\/security\/local-cost-of-a-big-mac-decides-ransom-amount-for-fatboy-ransomware.html#tk.rss_security\" target=\"bwo\" >http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"http:\/\/zapt4.staticworld.net\/images\/article\/2017\/03\/mcdonaldsbig-mac-100714075-large.3x2.jpg\"\/><\/p>\n<p><strong>Credit to Author: Darlene Storm| Date: Mon, 08 May 2017 09:33:00 -0700<\/strong><\/p>\n<article>\n<section class=\"page\">\n<p>Location, location, location \u2026 you\u2019ve heard it many times before but not when it comes to a ransomware deciding a ransom amount. Fatboy, a ransomware-as-a-service, is believed to be the first ransomware that automatically adjusts the ransom amount based on a victim\u2019s location.<\/p>\n<p>Just when you think you\u2019ve heard every conceivable ransomware demand \u2013 not just ransoms paid in bitcoins or other cryptocurrencies like <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/star-trek-themed-kirk-ransomware-brings-us-monero-and-a-spock-decryptor\/\" target=\"_blank\">Monero<\/a>, or <a href=\"http:\/\/www.computerworld.com\/article\/3060807\/security\/dogspectus-android-ransomware-silently-installs-demands-200-itunes-gift-card-ransom.html\" target=\"_blank\">paid in iTunes<\/a> or <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/truecrypter-ransomware-accepts-payment-in-bitcoins-or-amazon-gift-card\/\" target=\"_blank\">Amazon<\/a> gift cards, ransomware which costs nothing for decryption as long as you <a href=\"http:\/\/www.computerworld.com\/article\/3149489\/security\/ransomware-may-turn-victims-into-attackers-infect-2-others-and-decryption-is-free.html\" target=\"_blank\">infect two other people<\/a>, or even ransomware that <a href=\"http:\/\/www.computerworld.com\/article\/3187520\/security\/new-ransomware-demanded-high-score-on-anime-style-shooter-game-not-bitcoins.html\" target=\"_blank\">demands a high score on a shooter game<\/a> before decrypting drives \u2013 now there\u2019s a ransomware that charges victims based on the <a href=\"http:\/\/www.economist.com\/content\/big-mac-index\/\" target=\"_blank\">Big Mac Index<\/a>.<\/p>\n<p class=\"jumpTag\"><a href=\"\/article\/3195118\/security\/local-cost-of-a-big-mac-decides-ransom-amount-for-fatboy-ransomware.html#jump\">To read this article in full or to leave a comment, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[11072,11073,714],"class_list":["post-7559","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-cybercrime-hacking","tag-malware-vulnerabilities","tag-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7559","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=7559"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7559\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=7559"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=7559"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=7559"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}