A security researcher for AVG has discovered a new piece of ransomware called Fantom that masquerades as a critical Windows update. Victims who fall for the ruse will see a Windows screen acting like it's installing the update, but what's really happening is that the user's documents and files are being encrypted in the background.
Fantom is based on the open-source EDA2 ransomware project, and unfortunately there's no way to decrypt the files without the culprit's help. Plain and simple, you're in a bad spot if you happen to fall for this one. While savvy computer users might spot the ransomware as a malicious attempt to wreak havoc, it's easy to see how a less experienced user could be tripped up by this one.
The scam starts with a pop-up labeled as a critical update from Microsoft. Once a user decides to apply the fake update, it extracts files and executes an embedded program called WindowsUpdate.exe. From there it appears as though Windows is applying updates complete with a percentage counter and a warning not to turn off your computer. Once initiated, the user can close the screen by pressing Ctrl+F4, but that doesn't stop the ransomware from encrypting files in the background.
As with other EDA2 ransomware, Fantom generates a random AES-128 key, encrypts it using RSA, and then uploads it to the culprit. From there, Fantom targets specific file extensions and encrypts those files using AES-128 encryption. Affected files will then have the .fantom extension added to them. In addition, it drops a ransom note (see above image) in each folder where it encrypts a file.
Users affected by this are instructed to email the culprit for payment instructions. It's not clear how much it costs to decrypt the files or if the person responsible even follows through once payment is received.
This isn't the first instance of a cybercriminal using a fake Windows update to hide malicious activity and it isn't likely to be the last. Be careful out there, folks.