Fantom ransomware poses as Windows Update

We frequently advise you to update your operating system and software on a regular basis: Vulnerabilities, unless patched in time, can be exploited by malware. Well, a curious piece of

We frequently advise you to update your operating system and software on a regular basis: Vulnerabilities, unless patched in time, can be exploited by malware. Well, a curious piece of ransomware called Fantom exploits the very idea of updates.

Fantom ransomware poses as Windows Update

From a technical point of view, Fantom is almost identical to many of its ransomware lookalikes. It is based on the EDA2 open-source ransomware code, which was developed by Utku Sen as part of a failed experiment. It is, in fact, one of many EDA2-based cryptoblockers, but in its attempts to masquerade its activity, Fantom goes a bit too far.

 We don’t know Fantom’s methods of distribution yet. But after it infiltrates a computer, it starts the usual ransomware routine: creates an encryption key, encrypts it, and stores it on a command-and-control server to be used later.

Then the Trojan scans the computer, searching for files of the types it encrypts (more than 350, including popular office document formats, audio, and images). It uses the aforementioned key to encrypt them and adds the extension .fantom to their file names. However, with all of those processes running in the background, the most interesting part is happening right before the victim’s eyes.

Before we jump to that part, it’s worth mentioning that this ransomware executable masquerades as a critical Windows update. And when the malware starts working, it executes not one, but two programs: the cryptor itself and a little program with the innocent-looking name WindowsUpdate.exe.

The latter is used to simulate a genuine-looking Windows Update screen (a blue screen that informs you Windows is being updated). While Fantom is encrypting the user’s files in the background, the message on the screen displays the “update” (in reality, the encryption) progress.

Fantom ransomware poses as Windows Update

This trick is designed to distract victims from the suspicious activity on their computers. The fake Windows Update runs in full-screen mode, visually blocking access to other programs.

If users become suspicious, they can minimize the fake screen by pressing Ctrl+F4, but that won’t stop Fantom from encrypting files.

When it’s done encrypting, Fantom wipes out its traces (deletes the executables), creates a .html ransom note, copies it into each folder, and replaces the desktop wallpaper with a notification. The attacker provides an e-mail address so the victim can get in touch, discuss the terms of payment, and get further instructions.

Providing contact information is typical for Russian-speaking hackers, by the way, and other signs indicate the culprit’s likely Russian origins as well: the Yandex.ru e-mail address and very bad English. As Bleeping Computer puts it, “the grammar and wording could be one of the worst I have seen in a ransom note to date.”

Fantom ransomware poses as Windows Update

The bad news is that at this point there is no way to decrypt affected files without paying ransom — and we do not recommend paying ransom. So, the best approach is to avoid becoming a victim in the first place. Here are some tips:

  • Back up your data regularly and keep backup copies of your files on a disconnected external drive. Having a backup means you will be able to restore your system and files even if your PC gets infected. Kaspersky Total Security‘s backup feature automates this process, by the way.
  • Be cautious: Don’t open suspicious e-mail attachments, stay away from murky websites, and don’t click on dubious online ads. Fantom, like any malware, may use any of these attack vectors to infiltrate your system.
  • Use a robust security solution: For example, Kaspersky Internet Security already detects Fantom as Trojan-Ransom.MSIL.Tear.wbf or PDM:Trojan.Win32.Generic. And even if a yet-unknown sample of ransomware bypassed the antivirus engine, the System Watcher feature, which monitors suspicious behavior, would block it.
Tips