Fantom ransomware pretends to be Windows update

One of the most popular ways that black hats infect computers is by making malware look legitimate. For the untrained eye, this could mean a professional looking bank email, a free software download, or even an operating system update. The latter strategy is what is being employed to convince users to download Fantom, a new strain of ransomware. Uncovered by AVG security researcher Jakub Kroustek, Fantom disguises itself as a “critical update” file that shows a fake Microsoft copyright.

According to the AVG report, the ransomware targets “Intel 386 or later processors and compatible processors,” and functions under the file names:

“af4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.binFantom.exe”

“f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe”

“f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.bin”

“7d80230df68ccba871815d68f016c282.viruscriticalupdate01.exe”

Fantom ransomware disguised as Windows UpdateThe ransomware itself, once downloaded, activates WindowsUpdate.exe, which is a program that shows an update is occurring. Meanwhile, the files on your computer are encrypted with AES-128 encryption. WindowsUpdate.exe does not allow you to switch to any other programs, effectively locking your screen the second you execute the ransomware. Once finished, according to InformationWeek’s Kelly Sheridan, “Fantom victims will see a ransom note… Decrypt_Your_Files.HTML. The note will include the user’s ID key and directions for how to email the cybercriminals with payment.”

As of now there is no way to decrypt the files on your machine once Fantom’s payload has been activated. The only way to prevent damage from Fantom is to engage in smart decision making when on your computer. Microsoft itself echoed this sentiment in a statement released about the Fantom ransomware. In the statement, a Microsoft spokesperson encourages “customers to practice good computing habits online, including exercising caution when clicking on links to Web pages, opening unknown files, or accepting file transfers.”

In many ways, ransomware, especially of this kind, is a form of a social-engineering attack. To better protect yourself against being tricked into downloading malware like Fantom, I encourage you to read more about how social engineers operate. The best way to prevent a catastrophic cyber attack is to better understand the tactics used by cyber criminals.

Photo credit: Sophos, Shutterstock

About The Author

2 thoughts on “Fantom ransomware pretends to be Windows update”

  1. Thanks for the information about these new malware strains. Please make a habit of putting the file extensions that are used by these variants in your articles, if you know them, so admins can use that info for blacklisting in backup software and Windows Server’s file screening feature.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top