Attacks/Breaches
8/30/2016
05:45 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

New 'Fantom' Ransomware Poses As Windows Update

Fantom malware comes disguised as a legitimate Microsoft Windows update to trick consumers and business users into downloading it.

IT managers have a new ransomware threat on their radar that comes camouflaged as a Critical Windows Update to trick enterprise users and consumers into clicking malicious links.

Fantom, a recently released ransomware variant, was discovered by malware researcher at security software firm AVG, Jakub Kroustek, who spotted the attackers using the detailed disguise to steal information from Windows PCs.

Ransomware is a type of malware attack through which hackers block users' PC access, encrypt users' files so they can't be used, and prevent certain apps from running. The victim is warned that to retrieve his or her files or PC acces, he or she must pay a specified ransom fee -- which doesn't necessarily guarantee the attackers will relinquish the ransomed data.

The design of Fantom ransomware is based on the open-source EDA2 ransomware project, reported BleepingComputer. Victims will first see a phony Windows Update screen, which was built to make them think they're downloading a new critical Windows update.

To make the update appear legitimate, the attackers added fake details like a Microsoft copyright and "critical update" file name. Unsuspecting users may agree to download and think they're updating their PC as usual.

In reality, the virus is working in the background to encrypt files so they can be held for ransom. An embedded program called WindowsUpdate.exe launches a full-display update screen so users can't switch between apps while the "update" is in progress.

When the ransomware is done encrypting files, Fantom victims will see a ransom note with the name Decrypt_Your_Files.HTML. The note will include the user's ID key and directions for how to email the cybercriminals with payment in order to regain access to their information.

This ransomware encrypts files using AES-128 encryption. There is no means of decrypting Fantom.

A Microsoft spokesperson provided the following statement about Fantom:

"Microsoft’s free security software, which comes standard with Windows, detects and helps remove Fantom malware. We also encourage customers to practice good computing habits online, including exercising caution when clicking on links to Web pages, opening unknown files, or accepting file transfers."

Ransomware attackers employ a variety of means to fool users into granting access to their machines, but this is a crafty one. It also targets a massive portion of business users, most of whom work on Windows machines.

Fantom is particularly threatening to the enterprise because it mimics a screen most business users recognize. The cybercriminals are betting employees will believe the upgrade prompt is legitimate and download the ransomware without thinking twice.

"[Fantom] is part of an increasing trend of malicious software that mimics things we know and trust," says Norman Guadagno, chief evangelist at Carbonite. "This makes it frightening, and potentially even more dangerous, in an enterprise scenario because we're all used to seeing those Windows Update screens."

He says it's important for businesses to notify users of this threat and to convey how Windows Update is handled inside the organization. They should also encourage precautionary measures; for example, ensuring computers are backed up so that if they're infected, they can be rolled back without a ransom payment.

If a victim doesn't have his or her data backed up, oftentimes they end up paying the ransom, Guadagno says. Most ransomware attackers will release files after payment is received, however, he notes.

IT managers should be on alert for this type of attack, as ransomware statistics indicate this threat is a growing risk to businesses. In a 2016 mid-year Trend Micro report, researchers claim more new ransomware families appeared in the first half of 2016 than throughout all of 2015.

The report showed 79 new ransomware families were added in the first half of this year. These, combined with older variants of the malware, have cost businesses $209 million in monetary losses so far in 2016.

Ransomware is normally considered a bigger risk for small- to midsized business or individual users, but Trend Micro found the first half of 2016 also brought a spike in ransomware built to target business systems. New variants of enterprise-focused malware include CRYPSAM and CRYPRADAM AND KIMCIL.

Some companies manage their users' Windows Updates, but not all businesses have the resources to do this. Home-based and remote workers are especially vulnerable as they typically install their own updates.

Related Content:

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance & Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 3   >   >>
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
9/1/2016 | 1:12:05 PM
Re: Windows 10 affected?
Ultimately, the best advice: Just be extra careful with what you click on, use adblockers, and disable Flash and Java unless you REALLY REALLY REALLY trust the site.  And never click an attachment or link in an email unless you're expecting it and know what it is (and you trust the sender).
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
9/1/2016 | 1:08:18 PM
Re: SMH
Oh, yes, I definitely understand it (heck, even I have issues with the chip scanners sometimes -- especially because of the inconsistency among retailers).  It just used to be much easier and more straightforward.  (But, of course, fewer people had personal computers back then.)

Now stop skateboarding on the sidewalk!
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
9/1/2016 | 8:11:19 AM
Re: Windows 10 affected?
Ransomware still creeps me out the most but at least I have a tonne of backups. But I'd rather be aware and scared, I can't imagine the shock of having all of your most personal files and folders encrypted out of the blue with no warning. 
emjones_uow
50%
50%
emjones_uow,
User Rank: Apprentice
9/1/2016 | 6:23:25 AM
Re: VPN for Additional Security
The ones i mentioned, keeps no log and there are many who does'nt either. I know there are VPNs working in grey areas but not to forget the core purpose of having a VPN. Organizations have it, to secure their network, obviously there are other factors aswell but sparing a small amount for an additional security is the least a simple internet user can do. Makes it difficult to hack ones IP as VPN ensures anonymity. 
lorraine89
50%
50%
lorraine89,
User Rank: Ninja
9/1/2016 | 6:12:59 AM
Re: VPN for Additional Security
How has your experience been with Purevpn? I have read good reviews about their connectivity.
jcavery
50%
50%
jcavery,
User Rank: Moderator
8/31/2016 | 7:50:28 PM
Re: Windows 10 affected?
Ahyup,   XP through 10
jcavery
50%
50%
jcavery,
User Rank: Moderator
8/31/2016 | 7:28:25 PM
Re: SMH
If you have ever gotten behind the wrong person in line at a grocery store with the chipped debit cards, you can understand why that person might also have trouble configuring a reliable backup system on their PC. Back in my day the only chips in a grocery store were right next to the salsa!

That ball that flew over my fence? I'm keeping it. It's mine now.
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
8/31/2016 | 2:25:29 PM
Re: SMH
@jcavery: It's kind of dumb if you think about it.  Floppy drives used to come standard on computers (both desktops and laptops).  Local backup was a breeze.  Now floppy drives are considered obsolete because we have thumb drives.  Except thumb drives are still pretty expensive -- unless you get free ones at conferences...which may be infected with malware.

Meanwhile, I've got an old ZIP Drive and ZIP Disks kicking around somewhere and I can't get to what's backed up on those from years ago because nobody makes machines with those printer ports anymore.

Now I'm cranky and wistful for the good old days.  Get off my lawn.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/31/2016 | 2:22:08 PM
Re: Ransomware
Ransomware sort of became this logical next step once the spamming business for black-market pharmaceuticals went under.  Black hatters needed to find a different way to leverage their botnets, their resources, their skillz.

In our attempt to kill a fly, we let in a hornet.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/31/2016 | 2:19:24 PM
Re: VPN for Additional Security
In addition or as an alternative, one could work with a virtual sandbox (like sandbox.ie).  One InfoSec guy I know swears by them for protecting against ransomware specifically, among other threats.
Page 1 / 3   >   >>
Equifax CIO, CSO Step Down
Dark Reading Staff 9/15/2017
1.9 Billion Data Records Exposed in First Half of 2017
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/20/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Jan, check this out! I found an unhackable PC.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.