A new bit of ransomware known as ‘Fantom’ has been discovered by Jakub Kroustek of AVG Technologies. Fantom tricks users by dropping an executable file onto infected devices named a.exe. The file poses as a “critical update” for Windows, with a 2016 copyright from Microsoft included for an added appearance of legitimacy.
Once activated, the ransomware generates a replica of the Windows Update screen, complete with percentage meter and a reminder not to turn off your computer. The user can’t switch screens once the “update” starts. While the screen informs the user that the “update” is being configured, the virus is quietly encrypting the user’s personal data. The virus targets a wide array of file extension, and a ‘.fantom’ file extension will be appended to infected files.
The virus then generates a random AES-128 key, which gets uploaded to the malware’s command and control center. When the “update” completes, users are greeted with an HTML file that explains in broken English that their files have been encrypted, and the only way to get their data back is to pay the hacker for the decryption key within a week’s time.
This is not the first instance of Cybercriminals using fake Windows Updates to fool victims. A scam was uncovered last May that involved users being told that their Window’s licence key had expired, and to call a specific number to have it reactivated.
As with any type of malware, the best defense against Fantom ransomware is to avoid visiting unknown websites or clicking suspicious links.