There are those who pretend to be a browser, who even speak… and, for some time now, there are those who pretend to be Windows Update.
We are talking about a new family of ransomware, Such Fantom, which has spread over the past few weeks and which manages to deceive the user with a strategy already used in the past.
Fantom in fact masks its activity by "pretending" Windows Update: once contracted, the ransomware shows the user a window similar to the one below, making them believe they are installing updates.
The rest, then, has already been seen: encrypted documents and a ransom request! But let's understand something more.
How does Fantom work?
Discovered by an AVG researcher, Fantom - effective only on Windows - comes in the guise of a program that goes by the name of a.exe.
Among the properties of the executable, there is also a false copyright attributed to Microsoft to better deceive the user.
Once a.exe is run, the actual executable is invoked to encrypt the files - WindowsUpdate.exe - and the fake update screen is shown. Start then the file encryption process. Apparently it is not possible to exit the screen but CTRL + F4 will allow you to close it and return to Windows.
This unfortunately it will not stop the encryption process, which will continue in the background. The encryption, like the EDA2 “parent”, takes place with a 128-bit AES key which is then loaded into the control server.
Encrypted files are modified with the .fantom extension.
At the end of the process, as usual, the desktop background is changed and an HTML file is opened that notifies the user of thefile encryption occurred, instructions for paying the ransom and the warning that you only have a week before the private key is destroyed and the files become unrecoverable.
Unfortunately, it is not currently possible to decrypt files encrypted by Fantom. The only advice, always valid, is to pay close attention to the files and attachments that you run on your machine and to avoid downloading material from sources that are not certain.
