A new strain of ransomware has been discovered, which utilizes a fake Windows Update screen, pretending to install a critical update. In reality, it is encrypting users' files.
Discovered by Jakub Kroustek of AVG Technologies, the 'Fantom' ransomware plays tricks on potential victims by dropping an executable program named 'a.exe.' To cloak its malicious activity, the file's properties state that it contains a 'critical update' for Windows Update. A 2016 copyright from Microsoft is even written, to even lower suspicions.
Once the program is executed, it will extract and run another application under the name 'WindowsUpdate.exe.' This will display what looks like a screen configuring Windows Updates, complete with a percentage meter, and a reminder not to turn off the PC. The screen is designed to look like the ones many go through to install legitimate updates, in order to make victims think that there is nothing wrong going on. Once it is displayed, the program will not let the user switch applications.
As the screen pretends to 'configure Windows Updates,' it is silently encrypting files in the background like other ransomware variants. Once done, it will generate a random AES-128 key, which will be uploaded to the malware's Command & Control (C&C) server. It targets a wide number of file extensions, where a '.fantom' file extension will be appended to.
Lastly, it will open an HTML file, containing what we could easily consider one of the most headache-inducing ransom notes in the English language.
Unfortunately, there is no known method to decrypt files locked up by the Fantom ransomware.
Cybercriminals have been seen utilizing fake Windows Update screens to fool its victims. Back in May, tech support scammers were found telling users that their Windows license key has expired, and that they should call a certain number in order to reactivate it.
As for now, we can only advise our readers to be careful about opening suspicious items on the internet as much as possible, to avoid running into such malevolent software in the future.
Source and Images via Bleeping Computer