Fantom ransomware pretends to be a Windows critical update

Thanks to Tad Heppner of SophosLabs for his behind-the-scenes work on this article.

We’ve had a few questions from readers asking about a new ransomware strain known as Fantom, blocked by Sophos products as Troj/Fantom-B.

The good news is that this ransomware isn’t very well-written, we haven’t seen it in any mass-mailed spam blasts, and we don’t think it’s particularly convincing.

So we suspect that even if you’re confronted by it, you’re not likely to fall into its trap.

The bad news is that the Fantom ransomware nevertheless works perfectly well if given half a chance, scrambling your files and then demanding money to get them back, just like better-known threats in the ransomware scene such as Zepto.

The fact that the final “pay page” is illiterate and inept, and that the crooks behind this are apparently unskilled, makes no difference once your data’s been encrypted.

In fact, Fantom is evidence that the underground cybercrime business of ransomware is opening up ever wider.

The Fantom crooks apparently used a publicly available ransomware framework written in C#, meaning that you no longer need to know much at all about programming, cryptography or networking to get stuck into the ransomware scene.

We haven’t found any evidence of Fantom in our spamtraps, so we can’t advise you exactly what to look out for, but as most Naked Security readers will know, general business correspondence such as fake invoices and bogus requests for quotation are very common (and effective) email cover stories for ransomware attacks.

More about document-based ransomware ►

More about JavaScript ransomware ►

More about ransomware in Windows shortcuts

How it works

The main cover for Fantom is that it’s supposed to be a critical Windows update.

Here’s how the malware identifies itself to the handy Windows Sysinternals tool called sigcheck:

   Verified:       Unsigned
   Link date:      23:47 13/07/2012
   Publisher:      n/a
   Company:        Microsoft
   Description:    critical update
   Product:        critical update kb01
   Prod version:
   File version:
   MachineType:    32-bit

Remember, you’ll never receive Windows updates as program files (.EXEs) sent in email, and even if you did, they’d always have a digital signature added by Microsoft.

(The company name extracted from the program by sigcheck above is just a string of text compiled into the program; you can put anything in there you like.)

Once the Fantom malware is running, you’ll end up with two new processes, like this:

The program that shows up as critical update actually does the file scrambling in the background; the curiously-named WindowsFormsApplication5 is a secondary program that is kicked off by the first one and used as a decoy.

When the critical update program runs, your data files will be scrambled as fast as the malware can get through your directories, and renamed with the extension .fantom.

The purpose of WindowsFormsApplication5 is to distract you from the file-scrambling process for as long as possible, presumably to stop you noticing the ripple of destructive changes and powering off while you still have some original files left.

To continue the “critical update” theme, WindowsFormsApplication5 produces an animated full-screen window like this:

We were able to hit Ctrl-Alt-Esc to get to the task manager, from where the subterfuge of WindowsFormsApplication5 is obvious, and from which both ransomware processes could be terminated.

When Fantom has finished scrambling your files, you’ll see a dialog like this, at least if you are not an administrator:

By this time, you ought to realise that something bad has happened; if you allow the abovementioned delback.bat script to run, you’ll be doing this:

vssadmin delete shadows /all /quiet

The crooks are hoping to wipe out any shadow copies (live backup files) you have, in the hope of making it harder for your to recover without paying.

By the way, this is why we recommend not only maintaining your own backups on external devices, but also storing them offline (and ideally offsite, too).

Live backups that are kept locally along with all the current copies of your data are very handy, but they are more for convenience than for safety and security, given that they can be wiped out along with your hard disk by malware, theft, fire, flood, equipment failure, and many other digital calamities.

Once the destructive part of the malware is done, you’ll see a file on your desktop called DECRYPT_YOUR_FILES.HTML that’s positively shouting at you to open it in your browser:

If you’ve seen screenshots of other ransomware, you’ll know that at this point, you usually see:

  • The price you’re going to have to pay, typically using Bitcoins.
  • A anonymous Tor (.onion) web address by which to contact the crooks.

In contrast, Fantom simply asks you to contact one of two free email addresses for further instructions.

Whether this means it’s more likely the perpetrators can be traced and caught we shall have to wait and see.

And just case you missed see the DECRYPT_YOUR_FILES file, Fantom calls home and downloads an eerie wallpaper image with the email addresses writ large:

What to do?

We regularly offer advice on preventing (and recovering from) attacks by ransomware and other nasties.

Here are some links we think you’ll find useful:


(Audio player above not working? Listen on Soundcloud or access via iTunes.)