Fantom Ransomware Encrypts poses to be Windows Update, while encrypts files


The ransomware will download an image from and save it to %UserProfile%\2d5s8g4ed.jpg. This image will then be used as the Windows wallpaper shown above.This image is downloaded from the following URL, which may provide a clue as to the developer’s identity:

A new piece of ransomware called Fantom that masquerades as a critical Windows update. Victims who fall for this will see a Windows screen acting like it’s installing the update, but what’s really happening is that the user’s documents and files are being encrypted in the background.

The developers behind the Fantom Ransomware make an extra effort to hide it’s malicious activity by pretending the program is a critical update for Windows. To add legitimacy, the file properties for the ransomware states that it is from Microsoft and is called critical update. When executed, the ransomware will extract and execute another embedded program called WindowsUpdate.exe that displays the fake Windows Update screen shown below. This screen overlays all of the active Windows and does not allow you to switch to any other open applications.
The above fake update screen also contains a percentage counter that increases as the ransomware silently encrypts a victim’s files in the background. This is done to make it look like the fake update is being installed and to provide a reason for the increased activity on the victim’s hard drives. It is possible to close this screen by using the Ctrl+F4 keyboard combination. This will terminate the fake Windows update process and display your normal Windows screen, but the ransomware will continue encrypting your files in the background.
Just like other EDA2 based ransomware, it will generate a random AES-128 key, encrypt it using RSA, and then upload it to the malware developers Command & Control server.

It then begins to scan the local drives for files that contain targeted file extensions1 and encrypt them using AES-128 encryption. When it encrypts a file it will append the .fantom extension to the encrypted file. For example, apple.jpg would be encrypted as a file named apple.jpg.fantom. In each folder that it encrypts a file, it will also create a DECRYPT_YOUR_FILES.HTML ransom note.

Fantom will also create two batch files that are executed when the encryption is finished. These batch files will delete the shadow volume copies and fake Windows update executable. Finally, the ransomware will display the ransom note called DECRYPT_YOUR_FILES.HTML that includes the victim’s ID key and provides instructions to email or in order to receive payment instructions.


Files created by Fantom Malware :

Registry created by Fantom Malware:
HKCU\Control Panel\Desktop\ “Wallpaper” “%UserProfile%\How to decrypt your files.jpg”
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = 1

Network communication:

Hash: SHA256: f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b

Almost all of the file extensions are encrypted with this nasty Malware.

We give again the same recommendation ,use a good Total Security like Max Total Security which would provide a good data back feature so that you can restore it, that is the only way to protect your data when everyday new malware is being produced.

Android malware uses Twitter accounts for its commands

The malware’s developer is substituting Twitter accounts for a control server to communicate with infected smartphones. It runs as a backdoor virus that can secretly install other malware on a phone. Typically, the makers of Android malware control their infected smartphones from servers. Commands sent from those servers can create a botnet of compromised phones and tell the malware on all the phones what to do.

This malware, named Android/Twitoor has been active since July, 2016. It can’t be found on any official Android app store, but likely spreads through SMS or via malicious URLs. The Trojan impersonates a porn player app or MMS application, but without the functionality. Instead, it downloads several versions of mobile banking malware.

After the Trojan launches, it hides its presence on the system and checks the defined Twitter account in regular intervals for commands. Based on received commands, it can either download malicious apps or change the C&C Twitter account to another one. Additionally, botnet operators can start distributing other malware at any time, including ransomware.

Internet users should keep on securing their activities with good security solutions for both computers and mobile devices. Now we can expect to see more malware following this trend and make use of Facebook, Twitter, Whatsapp and other social networks.

Alma Locker Ransomware

Alma Locker virus recently appeared and joined the currently roaming ransomware threats. This virus seems to possess new features, it employs Tor command and control servers. Moreover, while other viruses of the same kind mainly disperse through malicious spam email attachments, this sample prefers using the exploit kit.

Alma Locker will generate a random 5 character extension that will be appended to encrypted files and a unique 8 character vicitm ID. This victim ID is derived from the serial number of the C:\ drive and the MAC address of the first network interface. Alma Locker will now search the victim’s drive letters for files with certain extensions and encrypt them using AES-128 encryption. When it encrypts a file it will append the previously generated extension to encrypted files. For example, if the extension associated with a victim is .a5zfn, then a file named test.jpg would be encrypted to a file named test.jpg.a5zfn.

The data files targeted by Alma Locker are: alma1

While encrypting files, Alma Locker will skip files located in folders containing the following strings:


During the encryption process, Alma Locker will send the following base64 encoded information to the ransomware’s Command & Control server: AES-128 private decryption key, encrypted file extension, user name, name of active network interface, the system Locale ID (LCID), operating system version, victim ID, security software registered with Windows, and the time stamp of when the program was started. When it has finished it will display a ransom note explaining what has happened to the victim’s files:


The ransom note contains links to the TOR payment site and a link to download a decryptor. When this decryptor is run, it will connect to the Command & Control server and retrieve information such as the current ransom amount, whether a payment has been received, and how many hours left in the five day countdown.

The ransom notes contain links to a TOR site where it states a victim can perform some test file decryptions to prove that they can decrypt your files.

Unfortunately, it appears that this free decryption is currently not working.

New DetoxCrypto Ransomware pretends to be PokemonGo


Above is the screenshot of a message (wallpaper) encouraging users to contact the developers of DetoxCrypto ransomware to decrypt their compromised data

DetoxCrypto is ransomware-type malware that infiltrates the system and encrypts various data types (.psd, .ppt, .docx, .zip, .rar, etc.) Note that unlike other ransomware, DetoxCrypto does not change the filenames or add any type of extension, which is quite unusual. Following successful encryption, DetoxCrypto changes the desktop wallpaper and opens a pop-up window. Both contain a ransom-demand message.

DetoxCrypto informs users of the encryption and states that decryption without a private key is impossible. When using an asymmetric cryptography, two keys (public [encryption] and private [decryption]) are generated during the encryption process. Cyber criminals store the private key on remote servers and users are encouraged to buy it. To contact the cyber criminals victims are asked to write an email to, or addresses. The size of ransom is 3 Bitcoins (currently, 1 Bitcoin is equivalent to ~$574). The size of this ransom is quite large, since most cyber criminals responsible for the development of ransomware demand .5 – 1.5 Bitcoin.

Screenshot of DetoxCrypto ransom-demand pop-up message:


The Pokemon themed variant of DetoxCrypto is distributed as an executable called Pokemongo.exe. When executed the ransomware will extract numerous files to the C:\Users\[account_name]\Downloads\Pokemon folder as shown below.

So far there is no possibility of being able to repair the encrypted files, neither paying ransom has helped, as in some cases they have taken money and not provided key to decrypt these files. So best option is to use a good total security program such as Max Total Security which provides you with automatic back up feature, just schedule it to back up everyday and be prepared for such challenges. So that you can restore your backed up files or restore your PC to the last known good configuration.

QuadRooter Android Vulnerabilities in Over 900 Million Devices

QuadRooter is a set of four vulnerabilities affecting Android devices built on Qualcomm® chipsets. If any one of the four vulnerabilities is exploited, an attacker can trigger privilege escalations and gain root access to a device. An attacker can exploit these vulnerabilities using a malicious app. These apps require no special permissions to take advantage of these vulnerabilities, alleviating any suspicion users may have when installing.

This affects an estimated 900 million Android devices manufactured by OEMs like Samsung, HTC, Motorola, LG and more. In fact, some of the latest and most popular Android devices found on the market today use the vulnerable Qualcomm chipsets including:

BlackBerry Priv
Blackphone 1 and 2
Google Nexus 5X, 6 and 6P
HTC One M9 and HTC 10
LG G4, G5, and V10
New Moto X by Motorola
OnePlus One, 2 and 3
Samsung Galaxy S7 and S7 Edge
Sony Xperia Z Ultra

Unique vulnerabilities affect four modules. Each vulnerability impacts a device’s entire Android system:
1. IPC Router (inter-process communication)
2. Ashmem (Android kernel anonymous shared memory feature)
3. kgsl (kernel graphics support layer)
4. kgsl_sync (kernel graphics support layer sync)

Please follow these best practices to keep your Android devices safe:
 Download and install the latest Android updates as soon as they become available. These include important security updates that help keep your device and data protected.
 Understand the risks of rooting your device – either intentionally or as a result of an attack.
 Avoid side-loading Android apps (.APK files) or downloading apps from third-party sources. Instead, practice good app hygiene by
downloading apps only from Google Play.
 Carefully read permission requests when installing apps. Be wary of apps that ask for unusual or unnecessary permissions or that use large amounts of data or battery life.
 Use known, trusted Wi-Fi networks. If traveling, use only networks you can verify are provided by a trustworthy source.
 Consider mobile security solutions such as Max Total Security that detect suspicious behavior on a device, including malware hiding in installed apps.



Hitler-Ransomware, a piece of file-encrypting malware that emerged recently, isn’t yet able to encrypt files, but still displays a lock screen and asks for a €25 ($28) ransom.

The Hitler ransomware infection takes place when the user double-clicks on an infected binary. It looks like file deletion is becoming a standard tactic in new ransomware applications created by less skilled ransomware developers. This is shown in a new ransomware called Hitler-Ransomware, or mispelled in the lock screen as Hitler-Ransonware. This ransomware shows a lock screen displaying Hitler and then states that your files were encrypted. It then prompts you enter a cash code for a 25 Euro Vodafone Card as a ransom payment to decrypt your files.

This ransomware appears to be a test variant based on the comments in the embedded batch file and because it does not encrypt any files at all. Instead this malware will remove the extension for all of the files under various directories, display a lock screen, and then show a one hour countdown as shown in the lock screen below. After that hour it will crash the victim’s computer, and on reboot, delete all of the files under the %UserProfile% of the victim. I hope this is not the actual code that this ransomware developer plans on using if it goes live.

The developer also appears to be German based on the text found within an embedded batch file. In the batch file is the following German text :
Das ist ein Test
besser gesagt ein HalloWelt
copyright HalloWelt 2016
:d by CoolNass
Ich bin ein Pro
fuer Tools für Windows

This translates to English as:
This is a test
rather a Hello World
copyright Hello World 2016
: D by Cool Wet
I am a Pro
for Tools for Windows

Files associated with Hitler-Ransomware:

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\firefox32.exe

Max Total Security can detect and remove this Malware.

Banking Trojan risks Android devices

The malware is disguised as an update for the browser – a malicious application called last-browser-update.apk. As it turned out, malicious downloads happening through the Google AdSense advertising network, which is used by many (not just news) sites to display targeted advertising to users. Site owners have similar advertisements.

To spread the infection, Trojan uses the features of Google AdSense advertising network, which demonstrates targeted advertising. When you visit a page with the advertisement Trojan download occurs immediately

Malware Svpeng family can steal information about the user’s bank card via phishing windows, as well as to intercept, delete, and send text messages. In addition, the Trojan collects information about calls, the content of text and multimedia messages, browser bookmarks, and contacts.

Max Total Security for Android can detect and remove such Malware.

R980 Ransomware arrives via spam emails

Like Locky, Cerber and MIRCOP, spam emails carrying this ransomware contain documents embedded with a malicious macro (detected as W2KM_CRYPBEE.A) that is programmed to download R980 through a particular URL. From the time R980 was detected, there have been active connections to that URL since July 26th of this year.

R980 encrypts 151 file types using a combination of AES-256 and RSA 4096 algorithms. Although it appends the .crypt extension to the encrypted files, it does not bear any other resemblance to previous versions of CryptXXX which used the same extension name. For the encryption mechanism, R980 uses a Cryptographic Service Provider (CSP), a software library used by developers to implement cryptographic functions to Windows-based applications.

For persistence, it uses the registry key, HKCU\Software\Microsoft\Windows\CurrentVersion\Run. Unlike most ransomware, it does not delete itself after infecting the system. R980 is also somewhat reminiscent of DMA Locker (detected as RANSOM.MADLOCKER.B) as it drops the following components and indicators of compromise (IOC):

rtext.txt – the ransom note
status.z – IOC for initial execution of the ransomware
status2.z – IOC for the execution of the dropped copy
k.z – contains the downloaded base64 decoded data
fnames.txt – contains the filenames of the encrypted files

To protect yourself from such ransomware, you need to back up your data regularly. Max Total Security detects and can protect your PC from such Malware.

Malicious app on Google Play

On Google Play a set of malware published by the developer account ValerySoftware is discovered by McAfee Labs researchers.

    Some characteristics of this malware:

  1. Encrypted and obfuscated at many levels
  2. Downloads APK files from external sources
  3. Tries to install apps from Google Play without user interaction
  4. Displays or silently accesses ads from multiple vendors of advertisement development kits
  5. Leaks sensitive information
  6. Receives commands to open and close applications
  7. Receives commands to install and uninstall applications

This Trojan pretends to be a game patch but is only a WebView function that locally loads a couple of HTML resources after requesting device admin privileges—probably to avoid uninstallation after its disappointing execution. In the background, however, the malware loads and decrypts multiple .dex files to start malicious activities that go unnoticed.

Based in the domain owner’s information in this malware, we can tie the authors to a group of known cyber criminals in Europe who host and distribute malware. To pass unnoticed, the malware authors incorporated anti-emulation techniques in the malicious code so the behavior could not be detected by automated dynamic test environments.

Although Google has been successful in improving the policing of malicious apps, this threat is a reminder that malware can still be present even in official stores. Your first check before installing an app should be reviews by other users. Also check that permissions the app requests are related to its functionality, and review the developer profile to look for other apps.

OSX malware Eleanor

Security researchers have discovered a nasty surprise hidden as a fake file converter application, called EasyDoc Converter, available on a number of download sites, that offers everything but what users expected. The EasyDoc Converter app purports to be a drag-and-drop file converter, but in reality has no beneficial functionality — instead it simply downloads a malicious script.

The new Mac malware OSX/Eleanor, is a serious threat and, if installed, can enable attackers to take full control of the compromised machine. The scourge opens a backdoor on infected Macs and, according to researchers, can steal data, execute remote code and access the webcam, among other things.