When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Fantom ransomware pretends to be Windows Update while it encrypts your files

A fake Windows Update screen used by the Fantom ransomware

A new strain of ransomware has been discovered, which utilizes a fake Windows Update screen, pretending to install a critical update. In reality, it is encrypting users' files.

Discovered by Jakub Kroustek of AVG Technologies, the 'Fantom' ransomware plays tricks on potential victims by dropping an executable program named 'a.exe.' To cloak its malicious activity, the file's properties state that it contains a 'critical update' for Windows Update. A 2016 copyright from Microsoft is even written, to even lower suspicions.

Once the program is executed, it will extract and run another application under the name 'WindowsUpdate.exe.' This will display what looks like a screen configuring Windows Updates, complete with a percentage meter, and a reminder not to turn off the PC. The screen is designed to look like the ones many go through to install legitimate updates, in order to make victims think that there is nothing wrong going on. Once it is displayed, the program will not let the user switch applications.

As the screen pretends to 'configure Windows Updates,' it is silently encrypting files in the background like other ransomware variants. Once done, it will generate a random AES-128 key, which will be uploaded to the malware's Command & Control (C&C) server. It targets a wide number of file extensions, where a '.fantom' file extension will be appended to.

Lastly, it will open an HTML file, containing what we could easily consider one of the most headache-inducing ransom notes in the English language.

The grammar police is cringing on this ransom note

Unfortunately, there is no known method to decrypt files locked up by the Fantom ransomware.

Cybercriminals have been seen utilizing fake Windows Update screens to fool its victims. Back in May, tech support scammers were found telling users that their Windows license key has expired, and that they should call a certain number in order to reactivate it.

As for now, we can only advise our readers to be careful about opening suspicious items on the internet as much as possible, to avoid running into such malevolent software in the future.

Source and Images via Bleeping Computer

Report a problem with article
Chrome logo on a light blue and black background
Next Article

Here's what to do if Chrome isn't allowing you to view Microsoft websites

The iPhone 6s Plus lying face up on a table
Previous Article

A new source confirms next year's iPhone set to ditch Home button

Join the conversation!

Login or Sign Up to read and post a comment.

17 Comments - Add comment