Fatboy: Ransomware-as-a-Service becoming weapon of choice

A new variant of ransomware was discovered last week with an interesting new innovation.


Labelled “Fatboy”, the ransomware was posted on a Russian cyber-criminal forum and is capable of changing the amount of money it charges, so that victims in areas with a higher cost of living will be charged more to have their data decrypted. Fatboy is also being sold as Ransomware-as-a-Service, offering customer support over the instant messaging service Jabber.

Based on the trends documented in the latest Verizon DBIR 2017 report, ransomware is expected to continue to grow in prevalence and is currently the fifth most common malware threat. In MWR’s caseload, we saw a 250% increase in ransomware cases last year and are on track for a further 300% increase across 2017. Based on this data, it is reasonable to predict that Ransomware-as-a-Service threats like Fatboy will proliferate accordingly, meeting further demands from less sophisticated criminals to acquire customised and effective ransomware that targets larger organizations for larger profits.

Criminals with access to Ransomware-as-a-Service are able to acquire a level of sophistication that could not previously be achieved. Additionally, criminals have begun to replicate the techniques used in espionage-type attacks by causing widespread domain compromise, online backup destruction and enterprise wide infection, with ransoms in the million dollar ranges now becoming more common place. This leads to much more complex and lengthy recovery, with criminals maintaining access on a network and actively working against security teams involved in the restoration of services.

The two most common methods of infection that MWR is currently seeing are related to network perimeter weaknesses - such as publicly exposed RDP ports and unpatched systems - and phishing emails targeting employees.

The following are some of the most effective measures in preventing these types of attacks:

  • Secure remote access with two factor authentication.
  • Regularly scan the perimeter for vulnerabilities and manage these.
  • Limitation of administrative privileges on user systems and permissions on file-shares.
  • User behaviour programs to improve email phishing awareness.
  • Having good backups to limit the impact of a potential infection.

However, due to the increase in the sophistication of these attacks, a pure preventive approach will not be sufficient. Organisations need to improve their overall detection capabilities to be able to identify threats that use advanced techniques to infiltrate their networks and propagate to their key assets. Particularly for ransomware, in MWR’s experience, a combination of machine learning and behavioural analysis has proven very successful at identifying new strains of ransomware as soon as they run on an infected host. This early detection allows to deploy rapid remote incident response and leads to an effective containment.



Accreditations & Certificates

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 9001 and 14001 in the UK, internationally accepted standards that outline how to put an effective quality and environmental management systems in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR is approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by NCSC for the services we provide to Her Majesty's Government.
MWR’s consultants hold Certified Simulated Attack Manager (CCSAM) and Certified Simulated Attack Specialist (CCSAS) qualifications and are authorized by CREST to perform STAR penetration testing services.