Windows 10 is notorious about automatically installing updates on users’ machines and now there is a ransomware that aims to capitalize on it. The new ransomware, Fantom, is based on the EDA2 open-source ransomware project on GitHub called hidden tear that’s recently been abandoned.
Fantom behind the scenes
In an attempt to conceal malicious intention, the authors of this ransomware modified the file properties to show copyright and legal trademarks mimicking a Windows update.
Once this dropper is executed, the payload “WindowsUpdate.exe” is dropped in AppData\Local\Temp displaying the fake Windows Update. This screen locks you out of doing anything else on your computer, keeping in line with the scam that Windows 10 doing its normal interrupt of updates.
The percentage counter does work and will go up at about a percent per minute. However, it’s fake and doesn’t represent anything other than to communicate to you that this “Windows update” will take a while and that you shouldn’t be alarmed of CPU usage and hard drive activity. You can close this fake update overlay by ending the process “WindowsUpdate.exe” using task manager, but the encryption of your files is unaffected.
DECRYPT_YOUR_FILES.HTML ransom note
Encryption is done using AES-128 encryption and when a file is encrypted it will append “.fantom” to the extension of the file. Also in every directory that a file is encrypted, a standard ransom note “DECRYPT_YOUR_FILES.HTML” is created.
The ransom note doesn’t have an onion link as your payment portal for your files – a standard for most encrypting ransomware. Instead, you’re asked to email the cyber criminals and await response. This tactic is meant to target less savvy computer users who would be intimidated by creating a bitcoin wallet address and using a tor browser to connect to the darknet for ransom payment. To increase odds of gaining trust, two “freebie” files for decryption are allowed.
However, it’s clear that these cyber criminals have a very loose grip on the English language so we don’t anticipate much traction with their scams through email. By the poor grip of the English language, we are assuming that these hackers are coming from either the Far East or Eastern Europe. Poor language formatting and spelling of common words is a clear give away that the e-mail is not from a legitimate source. So when you get an email from an unknown source, please take your time to read it completely before you click on anything in the email.
Employ a backup solution
Keep a backup of your data in a minimum of a 30-day retention. Complete Computers offers multiple backup solutions that can be employed to protect your data from this ransomware as well as others and when bundled with our security solutions, can provide a backup solution for your business.
Anthony Regina was born and raised in California and grew up in Benicia. He is constantly learning new technology security solutions to help keep businesses current. If you have a tech topic you’d like for him to cover, email him at a.regina@completecomputers.us.
Leave a Reply