Last week, the MalwareHunterTeam has found a brand new variant of the Fantom ransomware with very interesting features. These include network share enumeration and encryption, randomly generated desktop wallpapers, and offline encryption. However, the most interesting feature so far, is the ransomware’s ability to set a ransom amount and a payment email based upon the filename.
Usually, a ransom payment amount is provided by a Command & Control server or is hardcoded into the executable. Nevertheless, the new variant of the Fantom ransomware determines the ransom amount by the name of the process. The new feature gives the developer an opportunity to create various distribution campaigns using the same exact sample, but request different ransom amounts depending on how the distributed file is named.
For instance, if the developer wanted to target home users, they may make the ransom amount lower than if they were targeting a particular business or organization simply by changing the name of the file.
Being executed, the Fantom ransomware will examine the process name, which is the same as the filename, and check if it contains certain substrings. Considering the matched substrings, the ransomware will set the ransom to a particular amount.
In case the process name contains the string v01, the ransom value will be set to 1, while if it contains v06, it will be set to 6. The source code has ranges from v01 through v09 and v1 through v20, with the respective numbers being the ransom value. Nevertheless, it is still unknown what the difference is between v06 and v6.
In addition, the new version of Fantom ransomware includes the ability to derive a payment email address from the process name using a regular expression.
By default, each Fantom executable will contain a default payment email address, which is currently restorefiles@protonmail.ch. Once executed, Fantom will parse the process name through a regular expression to see if it can extract a different email address based on the name.
In case the regular expression matches the process name, certain characters will be extracted and turned into a different payment address that overrides the default one.
Due to the fact that the new version of Fantom ransomware no longer communicates with a Command & Control server, it will instead create a unique string called a “personal ID” which is included in a victim’s ransom note and must be sent to the ransomware developer’s email address to get payment instructions.
In order to generate this ID, the ransomware will create a string consisting of the ransom value, the unique AES encryption key for the victim, and the time of the infection. After that, this string is encrypted using a bundled RSA public encryption key and saved as the variable called encryptedPassword.
Then, the enryptedPassword variable is inserted into the victim’s ransom note, so that they can send it to the ransomware developer if they wish to pay the ransom. After that, the developer of the ransomware can decrypt the string with their master RSA key to determine the ransom amount, the victim’s encryption key, and when they were first infected.
The new features of Fantom allow the ransomware developer to provide offline decryption, while still maintaining a secure encryption method. Besides, the use of filenames to determine ransom values and payment addresses reduces complexity when it comes to distribution campaigns.
Among the other significant features found in the new version of Fantom ransomware are the enumeration and the encryption of network shares.
