NOVEMBER 02, 2016
After Samba ransomware that encrypts victims’ hard drives and CryPy ransomware known for encrypting each file individually here comes Fantom, a ransomware that uses full-screen Windows updates progress UI to get users to wait while it encrypts their files.
It is important to always keep your system and all software updated with the latest patches to prevent exploitation of the newly discovered vulnerabilities at all times. If the vulnerabilities aren’t dealt with timely, seriously dangerous malware and ransomware would make life hell for you.
But, what can we do if malicious software is disguised as an update that too, a Windows Update? Obviously, unsuspecting users would get easily deceived and this would mark the beginning of a nightmare for them.
One such ransomware that is currently creating havoc among Windows users is the Fantom ransomware, which is being distributed in the form of a Windows OS update. Currently, we cannot surely state the way this ransomware is distributed but we can certainly inform you about how it operates.
Once it has penetrated itself into a computer system, it embarks on the usual ransomware routine, which is as follows:
* Generation of encryption key
* Data encryption
* Transferring the data to a command and control server
* Asking for ransom money in exchange for the encryption key
Firstly, the malware searches for the file types that it could encrypt by scanning the machine and then uses the encryption key to encrypt these files. It must be noted that the Trojan can encrypt over 350 different types of file extensions including a variety of audio files, images, and document formats. While encrypting the files, the malware changes the extension of the files to .fantom.
These processes occur in the background at the time when the user believes that a critical Windows update is being installed on the computer. Once the malware becomes fully functional then it executes two programs, one, the cryptor and another one with the name WindowsUpdate.exe.
The program containing the name WindowsUpdate is only there to create an authentic appearance of the malware and to deceive the victim. This program presents the trademark blue screen that is usually displayed when Windows is being updated, which keeps the user engaged. In the background, the malware encrypts the required files. The update in progress message is actually showing the progress of the encryption underway simultaneously.
The fake update of Windows OS runs in full-screen mode and blocks all access to other applications and programs. Even then if the user suspects something fishy going on, nothing can be done because the malware won’t stop encrypting files.
After data encryption is complete, the malware deletes the executable files and instead generates a ransom note in a file titled a.html. This note is copied into every folder and the wallpaper on the computer’s desktop is also replaced with this message. The note contains an email address so that the victim could get in touch with the attacker to get information about the terms and conditions of the ransom and payment process.
Experts believe that only Russian-speaking hackers display this type of ransom note that contains contact information. There are other clues as well, which hint at the involvement of Russian hackers such as they usually use Yandex.ru e-mail address and their English is always bad.
Unfortunately, it isn’t possible to decrypt the data without paying the ransom.
You can avoid becoming a victim of Fantom or other malware and ransomware by following these tips:
> Always create a data backup and store the backup folders on an external drive
> Never click open e-mail attachments, suspicious or very attractive looking websites and never get deceived by dubious ads online
> Always protect your computer with the latest version of an antivirus such as Kaspersky Internet Security. This software can detect Fantom too.