Fantom, a recently released ransomware variant, was discovered by malware researcher at security software firm AVG, Jakub Kroustek, who spotted the attackers using the detailed disguise to steal information from Windows PCs.
Windows 10 has been notorious about automatically installing updates on users’ PCs, it is known fact and recommended by security experts to update operating systems and software in order to keep away from online threats. However, Fantom Ransomware exploits this very idea of updates and thus can be very difficult to detect.
Ransomware is a type of malware attack through which hackers block users’ PC access, encrypt users’ files so they can’t be used, and prevent certain apps from running. The victim is warned that to retrieve his or her files or PC access, he or she must pay a specified ransom fee — which doesn’t necessarily guarantee the attackers will relinquish the ransomed data.
The design of Fantom ransomware is based on the open-source EDA2 ransomware project, reports BleepingComputer but unfortunately, there is no way to currently decrypt the Fantom Ransomware and usual methods for get EDA2 based ransomware keys are not available with this variant.
The bad news is that the Fantom ransomware works perfectly well if given half a chance, scrambling your, just like better-known threats in the ransomware scene such as Zepto.
In an attempt to conceal malicious intention, the authors of this ransomware modified the file properties to show copyright and legal trademarks mimicking a Windows update.
Once this dropper is executed, the payload “WindowsUpdate.exe” is dropped in AppData\Local\Temp displaying the fake Windows Update screen as shown above. This screen locks you out of doing anything else on your computer, keeping in line with the scam that Windows 10 doing its normal interrupt of updates.
The percentage counter does work and will go up at about a percent per minute. However, it’s fake and doesn’t represent anything other than to communicate to you that this “Windows update” will take a while and that you shouldn’t be alarmed of CPU usage and hard drive activity. You can close this fake update overlay by ending the process “WindowsUpdate.exe” using task manager, but the encryption of your files is unaffected.
When the ransomware is done encrypting files, Fantom victims will see a ransom note with the name Decrypt_Your_Files.HTML. On a funny note, this will be more troublesome for you if you are a grammar nazi because, just take a good look at the screenshot above.The note will include the user’s ID key and directions for how to email the cybercriminals with payment in order to regain access to their information. This ransomware encrypts files using AES-128 encryption.
BleepingComputer reports that this image is downloaded from the following URL, which is used as the Windows Wallpaper and it may provide a clue as to the developer’s identity:
Below are further details in a screenshot from the BleepingComputer website.