

A new ransomware called Fantom was discovered by AVG malware researcher Jakub Kroustek that is based on the open-source EDA2 ransomware project. The Fantom Ransomware uses an interesting feature of displaying a fake Windows Update screen that pretends Windows is installing a new critical update. In the background, though, Fantom is secretly encrypting a victim's files without them noticing.

Unfortunately, there is no way to currently decrypt the Fantom Ransomware and usual methods for get EDA2 based ransomware keys are not available with this variant. For those who wish to discuss this ransomware or need support, you can use the Fantom Ransomware Help Support Topic.

Fantom disguises itself as a Critical Windows Update

The developers behind the Fantom Ransomware make an extra effort to hide it's malicious activity by pretending the program is a critical update for Windows. To add legitimacy, the file properties for the ransomware states that it is from Microsoft and is called critical update.

File Properties

When executed, the ransomware will extract and execute another embedded program called WindowsUpdate.exe that displays the fake Windows Update screen shown below. This screen overlays all of the active Windows and does not allow you to switch to any other open applications.

Fake Windows Update Screen

The above fake update screen also contains a percentage counter that increases as the ransomware silently encrypts a victim's files in the background. This is done to make it look like the fake update is being installed and to provide a reason for the increased activity on the victim's hard drives.

It is possible to close this screen by using the Ctrl+F4 keyboard combination. This will terminate the fake Windows update process and display your normal Windows screen, but the ransomware will continue encrypting your files in the background.

How the Fantom Ransomware Encrypts a Computer

Thanks to MalwareHunterTeam, who deobfuscated the code for Fantom and provided some analysis, we can easily see how the ransomware perform its encryption. Just like other EDA2 based ransomware, it will generate a random AES-128 key, encrypt it using RSA, and then upload it to the malware developers Command & Control server.

It then begins to scan the local drives for files that contain targeted file extensions1 and encrypt them using AES-128 encryption. When it encrypts a file it will append the .fantom extension to the encrypted file. For example, apple.jpg would be encrypted as a file named apple.jpg.fantom. In each folder that it encrypts a file, it will also create a DECRYPT_YOUR_FILES.HTML ransom note.

Fantom will also create two batch files that are executed when the encryption is finished. These batch files will delete the shadow volume copies and fake Windows update executable.

Fantom Cleaning Up

Finally, the ransomware will display the ransom note called DECRYPT_YOUR_FILES.HTML that includes the victim's ID key and provides instructions to email fantomd12@yandex.ru or fantom12@techemail.com in order to receive payment instructions.

Ransom Note

I have to point out that this user obviously does not have a good command of the English language as the grammar and wording could be one of the worst I have seen in a ransom note to date.

Finally, the ransomware will download an image from and save it to %UserProfile%\2d5s8g4ed.jpg. This image is downloaded from the following URL, which may provide a clue as to the developer's identity:

http://content.screencast.com/users/Gurudrag/folders/Default/media/9289aabe-7b4a-4c7f-b3bb-bdf3407e7a2f/fantom1.jpg

This image will then be used as the Windows wallpaper shown below.

Fantom Wallpaper

Files created by the Fantom Ransomware:

%AppData%\delback.bat [Executable_Path]\WindowsUpdate.exe [Executable_Path]\update.bat %UserProfile%\2d5s8g4ed.jpg

Registry entries created by the Fantom Ransomware:

HKCU\Control Panel\Desktop\ "Wallpaper" "%UserProfile%\How to decrypt your files.jpg" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = 1

Network Communication:

http://powertoolsforyou.com/themes/prestashop/cache/stats.php http://templatesupdates.dlinkddns.com/falssk/fksgieksi.php

Hashes:

SHA256: f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b

Targeted File Extensions: