Skip to main content

Fantom ransomware hides behind phony Windows update to infect your computer

mongodb database ransom rusty padlock
Garretttaggs /Wikimedia Commons
There’s yet another new type of ransomware out there. Fantom is a new form of the malicious virus that disguises itself as an important Windows update.

Ransomware encrypts a victim’s files and holds them ransom for a fee — and cybercriminals are getting savvier in tricking people into clicking malicious links and downloading the virus.

Fantom was discovered by Jakub Kroustek, a security researcher at AVG. He found that the culprits had actually gone to great lengths to disguise their work. The malicious file’s properties list details like Microsoft’s copyright and trademark information to make it appear legitimate.

Once you have downloaded this file, your computer will execute another file called WindowsUpdate.exe, which once again looks relatively harmless to anyone downloading an update. Kroustek shared some screengrabs of the ransomware in action on Twitter, which included a very legitimate-looking “Configuring critical Windows Update” screen with the download update counter.

Unfortunately, what’s happening during this time is that all the users’ files are being encrypted. You can cancel the update screen by hitting Ctrl+F4 but this does not appear to negate the encryption process. Eventually, you will be greeted with the message below.

Image used with permission by copyright holder

The note doesn’t list any fee but encourages the victim to email for further instructions. It warns the user that all files will be destroyed if they don’t respond within a week, and that trying to retrieve your files on your own will permanently destroy the data as well.

The ransomware itself appears to be quite similar to others. It’s based on EDA2, the code commonly used in many different ransomware attacks, and encrypts files with AES-128 encryption. But right now there’s no decryption key available for Fantom.

There’s no sign of where exactly this new ransomware and infection tactic has come from, but according to Bleeping Computer, the very poor English in the ransom note suggests it’s not originating from a native speaker. Researchers and hackers have tried to pin down possible sources of ransomware by picking apart the language and terminology used in the text, with many putting the blame on Russian-speaking hackers.

As far as Fantom goes, one of its infection notices lists an email address from Russian provider Yandex but also a Techemail address, which is provided by California’s, so it’s not possible to attribute Fantom to anyone at this point.

Editors' Recommendations

Jonathan Keane
Former Digital Trends Contributor
Jonathan is a freelance technology journalist living in Dublin, Ireland. He's previously written for publications and sites…
Windows 11 is finally going to play nice with your iPhone
Phone Link for iOS will be available for Windows 11 starting in mid-May.

Microsoft will soon begin support for iPhones on its Phone Link app in Windows 11.

The brand announced on its blog Wednesday that it will begin its global rollout of Microsoft Phone Link for iOS in 39 languages across 85 markets in mid-May. This support will allow iPhone users to make and receive phone calls, send and receive text messages, view notifications, and access contacts directly on their PCs.

Read more
Your Windows 11 screenshots may not be as private as you thought
Person sitting and using an HP computer with Windows 11.

When you capture a screenshot and crop out sensitive information, it's still possible to recover a portion of the image that was supposedly removed in some circumstances.

This isn't the first time redacted documents have turned out to have left hidden data intact and readable with the right tools and knowledge. A recent bug in Google's Markup tool for the Pixel phone, humorously dubbed the "Acropalypse," shows this issue might be surprisingly common.

Read more
The Windows 11 taskbar is getting an important new update
Windows 11 set up on a computer.

Microsoft is working on new experiences for Windows that will allow developers to enable pinning for third-party applications, as well as enable pinning to the Taskbar.

Microsoft recently announced the details of these upcoming functions in a blog post. This is the brand's attempt to universalize its pinning process across all apps used on Windows. In practice, it will be similar to how pinning works on the Edge browser, with the Windows 11 users being notified by the Action Center about a request for pinning to the Taskbar by the app in question.

Read more