Ransomware Appears as Fake Windows Update

Unlike those who attend Hogwarts, magicians rely mainly on subtle sleight of hand to convince others that they managed to make coins disappear into thin air. The same concept applies to ransomware. How can it complete its mission in a suit labeled with the word “Villain”? Nowadays, ransomware fashions various disguises that render it undetectable. A case in point is Fantom — here are some of the reasons why you should steer clear of this technological spook.

AVG security researcher Jakub Kroustek recently spotted Fantom coded atop an EDA2, a ransomware-building kit that was open-sourced but eventually taken down. EDA2 contained certain flaws that allowed researchers to obtain decryption keys from its C&C server, yet these flaws have since disappeared, indicating that Fantom coders might have found and fixed them before anyone else had a chance to.

Very little is known as to how Fantom is distributed. As for the method of deployment, cybercriminals plant the file onto the target’s computer via spam email or exploit kits. Fantom-infected files are namedcriticalupdate01.exe; they utilize a “Windows Security Update” to prompt targets into running the file.

After activation, the ransomware starts by locking the user’s screen while displaying fake Windows Update graphics, complete with a fully-functioning percentage-based loading timer that mirrors the original Windows Update screen. However, beneath this pleasant facade, Fantom is encrypting your files right before your eyes. Luckily, the temporary lock screen is removable before it reaches 100% — simply press CTRL+F4. Unfortunately, the encryption process remains intact.

The MalwareHunterTeam states, “The ransomware uses classic ransomware encryption by locking files using an AES-128 key and then encrypting this key with a dual RSA key, with the private key stored on the crook’s server, and a public key left on the user’s PC.”

In order to retrieve the private key to unlock your files, you must contact the perpetrators by email. The email address is listed in the ransom note that appears after the process of encryption is complete. Fantom displays ransom notes in the form of HTML and TXT files, while changing the user’s desktop with a custom screenshot that lists the contact details. Lastly, after completing all its operations, Fantom cleans after itself by running two batch scripts wiping all the installation files clean.

Ransomware isn’t new, but the ways that cybercriminals utilize them are. Who would’ve thought that the ever so familiar Windows Update window has fallen prey to malicious intent? Pretend that you’re the Little Red Riding Hood and that the wolf is the ransomware that cybercriminals have disguised as your grandmother. They no longer wait to trap you, instead, they wait for you to walk straight into one instead.

The issue of ransomware is as extensive as it is meticulous. If you have any questions about Fantom or would like to request more information, feel free to get in touch with us! Give us a call at 800-421-7151 or send us an email at alopp@wamsinc.com. Our dedicated staff are more than happy to help.