Skip to main content

Fantom ransomware hides behind phony Windows update to infect your computer

mongodb database ransom rusty padlock
Garretttaggs /Wikimedia Commons
There’s yet another new type of ransomware out there. Fantom is a new form of the malicious virus that disguises itself as an important Windows update.

Ransomware encrypts a victim’s files and holds them ransom for a fee — and cybercriminals are getting savvier in tricking people into clicking malicious links and downloading the virus.

Fantom was discovered by Jakub Kroustek, a security researcher at AVG. He found that the culprits had actually gone to great lengths to disguise their work. The malicious file’s properties list details like Microsoft’s copyright and trademark information to make it appear legitimate.

Once you have downloaded this file, your computer will execute another file called WindowsUpdate.exe, which once again looks relatively harmless to anyone downloading an update. Kroustek shared some screengrabs of the ransomware in action on Twitter, which included a very legitimate-looking “Configuring critical Windows Update” screen with the download update counter.

Unfortunately, what’s happening during this time is that all the users’ files are being encrypted. You can cancel the update screen by hitting Ctrl+F4 but this does not appear to negate the encryption process. Eventually, you will be greeted with the message below.


The note doesn’t list any fee but encourages the victim to email for further instructions. It warns the user that all files will be destroyed if they don’t respond within a week, and that trying to retrieve your files on your own will permanently destroy the data as well.

The ransomware itself appears to be quite similar to others. It’s based on EDA2, the code commonly used in many different ransomware attacks, and encrypts files with AES-128 encryption. But right now there’s no decryption key available for Fantom.

There’s no sign of where exactly this new ransomware and infection tactic has come from, but according to Bleeping Computer, the very poor English in the ransom note suggests it’s not originating from a native speaker. Researchers and hackers have tried to pin down possible sources of ransomware by picking apart the language and terminology used in the text, with many putting the blame on Russian-speaking hackers.

As far as Fantom goes, one of its infection notices lists an email address from Russian provider Yandex but also a Techemail address, which is provided by California’s, so it’s not possible to attribute Fantom to anyone at this point.

Editors' Recommendations