Crafty Fantom Ransomware Poses as Windows Update

Fantom ransomware has ghosted onto the scene. It strikes disguised as a legitimate Microsoft Windows update, tricking users into downloading it and paving the way for data heartburn.

First discovered by malware researcher Jakub Kroustek of security firm AVG, Fantom is based on the open-source EDA2 ransomware project. It appears displaying a fake update screen with a download file entitled simply, ‘Critical Update’.

“Though hackers use different tactics to strike with ransomware, the strategy used in the case of Fantom is a clever one,” explained researchers from Comodo, in a blog post. “The attackers mimic a screen that most users, including business users, recognize and even trust; it’s comparatively easy to lead people into believing that they are getting a legitimate Windows update and thus lead them to download Fantom. This could be a pointer to a rather dangerous trend as regards malware in general and ransomware in particular.”

Once downloaded, the ransomware extracts and executes another embedded program called WindowsUpdate.exe. Keeping with the theme, a fake Windows Update screen will be displayed, overlaying all active Windows, and preventing users from switching to any other open application. The update screen shows a percentage that leads victims into believing that the Windows update is taking place, while in reality their files are being encrypted.

Comodo explained that Fantom, like other EDA2-based ransomware, will generate a random AES-128 key and encrypt it using RSA. Then it will be uploaded into the Command & Control server of the malware developers. It then scans local drives for files that contain targeted file extensions. These files are encrypted using AES-128 encryption; to each encrypted file will be added the extension .fantom. In folders wherein Fantom encrypts files, a ransom note DECRYPT_YOUR_FILES.HTML will also be created.

“[The ransom note] will have the mention that restoring your data would be possible only by buying passwords from them,” the researchers explained. “There will be the instructions to email or so that you could receive payment instructions. You’re also warned not to try to restore files saying that it could destroy your data completely.”

Unfortunately, paying the ransom is no guarantee of a happy ending. One in five UK organizations that paid-up during a ransomware attack over the past two years didn’t get their data back, according to the latest research from Trend Micro. Its findings add further weight to the argument that organizations shouldn’t pay the ransom, although two thirds (65%) of respondents said they did.

Ransomware instances are increasing, too: Nearly half (44%) of those surveyed said they’d been infected at least once over the past 24 months, with 27% having been hit more than once.

What’s Hot on Infosecurity Magazine?