Local cost of a Big Mac decides ransom amount for Fatboy ransomware

Fatboy is believed to be the first ransomware-as-a-service that charges victims based on their location and the cost of a Big Mac in their country.

McDonald's Big Mac
Credit: McDonald's

Location, location, location … you’ve heard it many times before but not when it comes to a ransomware deciding a ransom amount. Fatboy, a ransomware-as-a-service, is believed to be the first ransomware that automatically adjusts the ransom amount based on a victim’s location.

Just when you think you’ve heard every conceivable ransomware demand – not just ransoms paid in bitcoins or other cryptocurrencies like Monero, or paid in iTunes or Amazon gift cards, ransomware which costs nothing for decryption as long as you infect two other people, or even ransomware that demands a high score on a shooter game before decrypting drives – now there’s a ransomware that charges victims based on the Big Mac Index.

“Fatboy” is a new ransomware-as-a-service (RaaS) product discovered on Exploit, a Russian-language forum frequented by cybercriminals. Analysts at the threat intelligence firm Recorded Future said the ransom demand is not one set amount for all, but charges based on international exchange rates as it automatically adjusts the ransom demand based on where the victim lives.

“The Fatboy ransomware is dynamic in the way it targets its victims; the amount of ransom demanded is determined by the victim’s location,” Recorded Future explained. “Fatboy uses a payment scheme based on The Economist’s Big Mac Index (cited as the ‘McDonald’s Index’ in the product description), meaning that victims in areas with a higher cost of living will be charged more to have their data decrypted.”

The Big Mac Index was created 31 years ago to show how wealthy a nation is, if its currency is overvalued or undervalued, based on the prices of a Big Mac in that country. The Economist gives this example: “The average price of a Big Mac in America in January 2017 was $5.06; in China it was only $2.83 at market exchange rates. So the ‘raw’ Big Mac index says that the yuan was undervalued by 44% at that time.”

So, in the case of Fatboy, the victim’s IP address is used to determine their country and then the ransom demand is automatically adjusted based on the cost of a Big Mac in that country. But the author of Fatboy is not exactly getting rich with this malware scheme; it first appeared in the forum on March 24 and analysts believed the author has earned roughly $5,321 since February.

Wannabe cyber crooks who buy the Fatboy RaaS platform deal directly with the malware author via Jabber for “extended help” instead of a third-party vendor. The author urged people to take part in a “limited partnership.” Those who do get paid “instantly” when a victim coughs up the ransom, which Recorded Future says “adds another level of transparency to this partnership.”

Other than customizing the malware with a sliding scale ransom demand, there is nothing particularly new about Fatboy. The ransomware is similar to others; it targets Windows machines, scans all disks and network folders, supports over 5,000 file extensions, inserts a ransom note after files have been encrypted, automatically decrypts after a person bows to extortion and pays, and then deletes from the system.

Despite warnings by the malware author about using third-party tools to restore files encrypted by Fatboy, security researcher Michael Gillespie suggested he “might be able to help” if victims contacted him. That was back in March when the ransomware first started being detected; at this time, Fatboy can be detected by a decent amount of various antivirus solutions.

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon