Fatboy targets Windows OS and is distributed via a Ransomware-as-a-Service (RaaS) portal currently advertised on an underground Russian-language hacking forum. Fatboy displays a ransom note that is similar in appearance to those used by Critroni/CTB-Locker. Fatboy calculates the ransom demand based on the victim's nation's standard of living. It determines the victim's location based on his or her IP address and then uses the Big Mac Index, also known as the McDonald's Index, to display the final ransom amount. According to the English-language product description obtained by threat intelligence firm, Recorded Future, the ransomware developer claims that Fatboy is written in C++, encrypts files using AES-256, and encrypts keys with RSA-2048. It scans all disks and network folders, works on all Windows operating systems, and targets over 5,000 file extensions. Fatboy also deletes itself and automatically decrypts files after the ransom payment is received.