The AVG Technologies security expert, Jakub Kroustek, has recently stumbled across a new piece of ransomware. Dubbed Fantom, it is disguised as a fake Windows Update Screen claiming to be installing a very important update, while, in fact, it encrypts victims` files.
The Fantom Ransomware drops an executable program onto the victim`s PC. To avoid any suspicion, this program states it is about to install a Windows update, which is “critical”. A 2016 copyright from Microsoft is even written to mislead users into thinking the program is legitimate.
When a user executes this program, it will immediately extract and launch another app named “WindowsUpdate.exe”. Then the victim will see a fake Windows Updates configuring screen with a percentage meter and a “Do not turn off your computer” note. The screen is designed in a way to look like a legitimate update as much as possible to scam the users. Once it is displayed, the user would not be able to switch apps.
While the victims think their Windows is being updated, actually, the malicious ransomware is quietly encrypting their data in the background. It targets files with many different extensions and appends its “.fantom” extension at the end of all locked data. When this process has finished, a random AES-128 key is generated and uploaded to the Fantom`s C&C server.
Finally, the Fantom Ransomware opens an HTML file, containing a ransom note written in broken English. It starts with the classic “Attention! Your files have been encrypted” and continues with instruction on what the victim should do to obtain the “decryption password”.
The bad news is that, for the moment, a free decryptor to unlock files hit by the Fantom Ransomware hasn’t been created.
The Fantom Ransomware is not the first to use a fake Windows Update screen to trick its victims. In May this year, another cyber gang was caught telling users that their Windows license key had expired and if they want to reactivate it, they should call the number shown.
For now, the best thing users could do to protect themselves from such attacks is to be extra cautious about opening shady-looking item on the Internet.