Microsoft's Windows platform is being targeted by a new type of ransomware dubbed Fantom. The new strain places a fake Windows Update screen on a PC and says it is installing an important update. In fact, the update is not from Microsoft and is malicious. If the “update” is complete, files on the PC will be encrypted and locked down.
It is an interesting new implementation of ransomware. Arguably attackers know that users are becoming used to seeing Windows Updates arrive randomly. Taking advantage of that, this ransomware appears to be the real deal to unsuspecting users.
Jakub Kroustek of AVG Technologies discovered the so-called ‘Fantom' ransomware. The malicious content is packaged in the form of an executable called ‘a.exe.' This program uses its properties details to claim to be a ‘critical update' for Windows. Just to make it that extra bit legitimate in look, the attackers have placed a 2-16 copyright from Microsoft.
Of course, the exe. File is not the real deal at all. Once it is executed it will begin to run the download file called WindowsUpdate.Exe. Again, this will make unsuspecting users think this is the real deal. To continue the official Microsoft trick, the program places an official-looking update screen when it is downloading. This page is complete with a percentage bar and reminder not to shut down the PC.
Once this screen initiates it begins downloading the ransomware and won't let users switch applications. The download process includes encrypting files just like a typical ransomware attack would. It goes after a number of extensions and replaces them with a ‘.fantom' file extensions. That's when the HTML ransom note is sent.
No Fix Available
As is usually the case, the attackers demand money to unlock the files they have encrypted. It is fairly obvious that the perpetrators are not English speakers. The ransom note is a grammatical minefield of errors. These guys are clearly not stupid though and have crafted an affective attack. Especially as there is no current method to decrypt the files other than to pay up.
Considering there is no fix for this ransomware, users should be very cautious. Windows customers need to be careful about opening files that they are not familiar with that come from the internet.
Windows has been the subject of several ransomware attacks this year. It is a growing type of cyberattack because it is easy and gives hackers big rewards.