New 'Fantom' Ransomware Poses As Windows Update

Fantom malware comes disguised as a legitimate Microsoft Windows update to trick consumers and business users into downloading it.

Kelly Sheridan, Former Senior Editor, Dark Reading

August 30, 2016

4 Min Read
Dark Reading logo in a gray background | Dark Reading

IT managers have a new ransomware threat on their radar that comes camouflaged as a Critical Windows Update to trick enterprise users and consumers into clicking malicious links.

Fantom, a recently released ransomware variant, was discovered by malware researcher at security software firm AVG, Jakub Kroustek, who spotted the attackers using the detailed disguise to steal information from Windows PCs.

Ransomware is a type of malware attack through which hackers block users' PC access, encrypt users' files so they can't be used, and prevent certain apps from running. The victim is warned that to retrieve his or her files or PC acces, he or she must pay a specified ransom fee -- which doesn't necessarily guarantee the attackers will relinquish the ransomed data.

The design of Fantom ransomware is based on the open-source EDA2 ransomware project, reported BleepingComputer. Victims will first see a phony Windows Update screen, which was built to make them think they're downloading a new critical Windows update.

To make the update appear legitimate, the attackers added fake details like a Microsoft copyright and "critical update" file name. Unsuspecting users may agree to download and think they're updating their PC as usual.

In reality, the virus is working in the background to encrypt files so they can be held for ransom. An embedded program called WindowsUpdate.exe launches a full-display update screen so users can't switch between apps while the "update" is in progress.

When the ransomware is done encrypting files, Fantom victims will see a ransom note with the name Decrypt_Your_Files.HTML. The note will include the user's ID key and directions for how to email the cybercriminals with payment in order to regain access to their information.

This ransomware encrypts files using AES-128 encryption. There is no means of decrypting Fantom.

A Microsoft spokesperson provided the following statement about Fantom:

"Microsoft’s free security software, which comes standard with Windows, detects and helps remove Fantom malware. We also encourage customers to practice good computing habits online, including exercising caution when clicking on links to Web pages, opening unknown files, or accepting file transfers."

Ransomware attackers employ a variety of means to fool users into granting access to their machines, but this is a crafty one. It also targets a massive portion of business users, most of whom work on Windows machines.

Fantom is particularly threatening to the enterprise because it mimics a screen most business users recognize. The cybercriminals are betting employees will believe the upgrade prompt is legitimate and download the ransomware without thinking twice.

"[Fantom] is part of an increasing trend of malicious software that mimics things we know and trust," says Norman Guadagno, chief evangelist at Carbonite. "This makes it frightening, and potentially even more dangerous, in an enterprise scenario because we're all used to seeing those Windows Update screens."

He says it's important for businesses to notify users of this threat and to convey how Windows Update is handled inside the organization. They should also encourage precautionary measures; for example, ensuring computers are backed up so that if they're infected, they can be rolled back without a ransom payment.

If a victim doesn't have his or her data backed up, oftentimes they end up paying the ransom, Guadagno says. Most ransomware attackers will release files after payment is received, however, he notes.

IT managers should be on alert for this type of attack, as ransomware statistics indicate this threat is a growing risk to businesses. In a 2016 mid-year Trend Micro report, researchers claim more new ransomware families appeared in the first half of 2016 than throughout all of 2015.

The report showed 79 new ransomware families were added in the first half of this year. These, combined with older variants of the malware, have cost businesses $209 million in monetary losses so far in 2016.

Ransomware is normally considered a bigger risk for small- to midsized business or individual users, but Trend Micro found the first half of 2016 also brought a spike in ransomware built to target business systems. New variants of enterprise-focused malware include CRYPSAM and CRYPRADAM AND KIMCIL.

Some companies manage their users' Windows Updates, but not all businesses have the resources to do this. Home-based and remote workers are especially vulnerable as they typically install their own updates.

Related Content:

About the Author

Kelly Sheridan

Former Senior Editor, Dark Reading

Kelly Sheridan was formerly a Staff Editor at Dark Reading, where she focused on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial services. Sheridan earned her BA in English at Villanova University. You can follow her on Twitter @kellymsheridan.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights