{"id":7622,"date":"2016-09-02T10:46:03","date_gmt":"2016-09-02T14:46:03","guid":{"rendered":"https:\/\/kasperskydaily.com\/uk\/?p=7622"},"modified":"2019-11-22T10:09:32","modified_gmt":"2019-11-22T10:09:32","slug":"fantom-ransomware","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.uk\/blog\/fantom-ransomware\/7622\/","title":{"rendered":"Fantom ransomware poses as Windows Update"},"content":{"rendered":"<p>We frequently advise you to update your operating system and software on a regular basis: Vulnerabilities, unless patched in time, can be exploited by malware. Well, a curious piece of ransomware called <a href=\"http:\/\/www.bleepingcomputer.com\/news\/security\/fantom-ransomware-encrypts-your-files-while-pretending-to-be-windows-update\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Fantom<\/a> exploits the very idea of updates.<\/p>\n<p>From a technical point of view, Fantom is almost identical to many of its ransomware lookalikes. It is based on the EDA2 open-source ransomware code, which was developed by Utku Sen as part of a <a href=\"https:\/\/www.kaspersky.com\/blog\/ded-cryptor-ransomware\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">failed experiment<\/a>. It is, in fact, one of many EDA2-based cryptoblockers, but in its attempts to masquerade its activity, Fantom goes a bit too far.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">How an open-source educational project on <a href=\"https:\/\/twitter.com\/hashtag\/ransomware?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#ransomware<\/a> turned into <a href=\"https:\/\/twitter.com\/hashtag\/DedCryptor?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#DedCryptor<\/a> <a href=\"https:\/\/t.co\/O2aW1Xnuzg\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/O2aW1Xnuzg<\/a> <a href=\"https:\/\/t.co\/WkwJvOtTXZ\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/WkwJvOtTXZ<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/751424392266129408?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">July 8, 2016<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>We don\u2019t know Fantom\u2019s methods of distribution yet. But after it infiltrates a computer, it starts the usual ransomware routine: creates an encryption key, encrypts it, and stores it on a command-and-control server to be used later.<\/p>\n<p>Then the Trojan scans the computer, searching for files of the types it encrypts (more than 350, including popular office document formats, audio, and images). It uses the aforementioned key to encrypt them and adds the extension .fantom to their file names. However, with all of those processes running in the background, the most interesting part is happening right before the victim\u2019s eyes.<\/p>\n<p>Before we jump to that part, it\u2019s worth mentioning that this ransomware executable masquerades as a critical Windows update. And when the malware starts working, it executes not one, but two programs: the cryptor itself and a little program with the innocent-looking name WindowsUpdate.exe.<\/p>\n<p>The latter is used to simulate a genuine-looking Windows Update screen (a blue screen that informs you Windows is being updated). While Fantom is encrypting the user\u2019s files in the background, the message on the screen displays the \u201cupdate\u201d (in reality, the encryption) progress.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/86\/2016\/09\/05192551\/windows-update-screen-1024x579.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-12894\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/86\/2016\/09\/05192551\/windows-update-screen-1024x579.png\" alt=\"Fantom ransomware poses as Windows Update\" width=\"1191\" height=\"674\"><\/a><\/p>\n<p>This trick is designed to distract victims from the suspicious activity on their computers. The fake Windows Update runs in full-screen mode, visually blocking access to other programs.<\/p>\n<p>If users become suspicious, they can minimize the fake screen by pressing Ctrl+F4, but that won\u2019t stop Fantom from encrypting files.<\/p>\n<p>When it\u2019s done encrypting, Fantom wipes out its traces (deletes the executables), creates a .html ransom note, copies it into each folder, and replaces the desktop wallpaper with a notification. The attacker provides an e-mail address so the victim can get in touch, discuss the terms of payment, and get further instructions.<\/p>\n<p>Providing contact information is typical for Russian-speaking hackers, by the way, and other signs indicate the culprit\u2019s likely Russian origins as well: the Yandex.ru e-mail address and very bad English. As Bleeping Computer puts it, \u201cthe grammar and wording could be one of the worst I have seen in a ransom note to date.\u201d<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/86\/2016\/09\/05192550\/ransom-note-screen.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-12893\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/86\/2016\/09\/05192550\/ransom-note-screen.png\" alt=\"Fantom ransomware poses as Windows Update\" width=\"1015\" height=\"495\"><\/a><\/p>\n<p>The bad news is that at this point there is no way to decrypt affected files without paying ransom \u2014 and we <a href=\"https:\/\/www.kaspersky.com\/blog\/why-you-dont-pay-ransomware\/12214\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">do not recommend paying ransom<\/a>. So, the best approach is to avoid becoming a victim in the first place. Here are some tips:<\/p>\n<ul>\n<li>Back up your data regularly and keep backup copies of your files on a disconnected external drive. Having a backup means you will be able to restore your system and files even if your PC gets infected. <a href=\"https:\/\/store.kaspersky.com\/store\/kaspersk\/en_IE\/buy\/productID.320809200\/quantity.1\/Currency.USD?cid=gl_socmed_pro_ona_smm__onl_b2c_kasperskydaily_lnk____ktsmd___&amp;affiliate=gl_socmed_pro_ona_smm__onl_b2c_kasperskydaily_lnk____ktsmd___\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Kaspersky Total Security<\/a>\u2018s backup feature automates this process, by the way.<\/li>\n<li>Be cautious: Don\u2019t open suspicious e-mail attachments, stay away from murky websites, and don\u2019t click on dubious online ads. Fantom, like any malware, may use any of these attack vectors to infiltrate your system.<\/li>\n<li>Use a robust security solution: For example, <a href=\"https:\/\/store.kaspersky.com\/store\/kaspersk\/en_IE\/buy\/productID.320853100\/quantity.1\/Currency.USD?cid=gl_socmed_pro_ona_smm__onl_b2c_kasperskydaily_lnk____kismd___&amp;affiliate=gl_socmed_pro_ona_smm__onl_b2c_kasperskydaily_lnk____kismd___\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Kaspersky Internet Security<\/a> already detects Fantom as Trojan-Ransom.MSIL.Tear.wbf or PDM:Trojan.Win32.Generic. And even if a yet-unknown sample of ransomware bypassed the antivirus engine, the System Watcher feature, which monitors suspicious behavior, would block it.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Fantom ransomware displays a fake Windows Update screen while encrypting your files.<\/p>\n","protected":false},"author":2194,"featured_media":7623,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5,2026],"tags":[1522,1540,1605,441,529,698,113],"class_list":{"0":"post-7622","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-threats","9":"tag-cryptors","10":"tag-eda2","11":"tag-fantom","12":"tag-ransomware","13":"tag-threats","14":"tag-trojans","15":"tag-windows"},"hreflang":[{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/fantom-ransomware\/7622\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/fantom-ransomware\/7599\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/fantom-ransomware\/7615\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/fantom-ransomware\/9024\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/fantom-ransomware\/8886\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/fantom-ransomware\/12939\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/fantom-ransomware\/2400\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/fantom-ransomware\/12891\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/fantom-ransomware\/6045\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/fantom-ransomware\/6524\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/fantom-ransomware\/5335\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/fantom-ransomware\/8578\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/fantom-ransomware\/12483\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/fantom-ransomware\/12939\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/fantom-ransomware\/12891\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/fantom-ransomware\/12891\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.co.uk\/blog\/tag\/cryptors\/","name":"cryptors"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/7622","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/users\/2194"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=7622"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/7622\/revisions"}],"predecessor-version":[{"id":17652,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/7622\/revisions\/17652"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/media\/7623"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=7622"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=7622"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=7622"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}