The ransomware will download an image from and save it to %UserProfile%\2d5s8g4ed.jpg. This image will then be used as the Windows wallpaper shown above.This image is downloaded from the following URL, which may provide a clue as to the developer’s identity: http://content.screencast.com/users/Gurudrag/folders/Default/media/9289aabe-7b4a-4c7f-b3bb-bdf3407e7a2f/fantom1.jpg
A new piece of ransomware called Fantom that masquerades as a critical Windows update. Victims who fall for this will see a Windows screen acting like it’s installing the update, but what’s really happening is that the user’s documents and files are being encrypted in the background.
The developers behind the Fantom Ransomware make an extra effort to hide it’s malicious activity by pretending the program is a critical update for Windows. To add legitimacy, the file properties for the ransomware states that it is from Microsoft and is called critical update. When executed, the ransomware will extract and execute another embedded program called WindowsUpdate.exe that displays the fake Windows Update screen shown below. This screen overlays all of the active Windows and does not allow you to switch to any other open applications.
The above fake update screen also contains a percentage counter that increases as the ransomware silently encrypts a victim’s files in the background. This is done to make it look like the fake update is being installed and to provide a reason for the increased activity on the victim’s hard drives. It is possible to close this screen by using the Ctrl+F4 keyboard combination. This will terminate the fake Windows update process and display your normal Windows screen, but the ransomware will continue encrypting your files in the background.
Just like other EDA2 based ransomware, it will generate a random AES-128 key, encrypt it using RSA, and then upload it to the malware developers Command & Control server.
It then begins to scan the local drives for files that contain targeted file extensions1 and encrypt them using AES-128 encryption. When it encrypts a file it will append the .fantom extension to the encrypted file. For example, apple.jpg would be encrypted as a file named apple.jpg.fantom. In each folder that it encrypts a file, it will also create a DECRYPT_YOUR_FILES.HTML ransom note.
Fantom will also create two batch files that are executed when the encryption is finished. These batch files will delete the shadow volume copies and fake Windows update executable. Finally, the ransomware will display the ransom note called DECRYPT_YOUR_FILES.HTML that includes the victim’s ID key and provides instructions to email email@example.com or firstname.lastname@example.org in order to receive payment instructions.
Files created by Fantom Malware :
Registry created by Fantom Malware:
HKCU\Control Panel\Desktop\ “Wallpaper” “%UserProfile%\How to decrypt your files.jpg”
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = 1
Hash: SHA256: f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b
Almost all of the file extensions are encrypted with this nasty Malware.
We give again the same recommendation ,use a good Total Security like Max Total Security which would provide a good data back feature so that you can restore it, that is the only way to protect your data when everyday new malware is being produced.