Attacks/Breaches
8/30/2016
05:45 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

New 'Fantom' Ransomware Poses As Windows Update

Fantom malware comes disguised as a legitimate Microsoft Windows update to trick consumers and business users into downloading it.

IT managers have a new ransomware threat on their radar that comes camouflaged as a Critical Windows Update to trick enterprise users and consumers into clicking malicious links.

Fantom, a recently released ransomware variant, was discovered by malware researcher at security software firm AVG, Jakub Kroustek, who spotted the attackers using the detailed disguise to steal information from Windows PCs.

Ransomware is a type of malware attack through which hackers block users' PC access, encrypt users' files so they can't be used, and prevent certain apps from running. The victim is warned that to retrieve his or her files or PC acces, he or she must pay a specified ransom fee -- which doesn't necessarily guarantee the attackers will relinquish the ransomed data.

The design of Fantom ransomware is based on the open-source EDA2 ransomware project, reported BleepingComputer. Victims will first see a phony Windows Update screen, which was built to make them think they're downloading a new critical Windows update.

To make the update appear legitimate, the attackers added fake details like a Microsoft copyright and "critical update" file name. Unsuspecting users may agree to download and think they're updating their PC as usual.

In reality, the virus is working in the background to encrypt files so they can be held for ransom. An embedded program called WindowsUpdate.exe launches a full-display update screen so users can't switch between apps while the "update" is in progress.

When the ransomware is done encrypting files, Fantom victims will see a ransom note with the name Decrypt_Your_Files.HTML. The note will include the user's ID key and directions for how to email the cybercriminals with payment in order to regain access to their information.

This ransomware encrypts files using AES-128 encryption. There is no means of decrypting Fantom.

A Microsoft spokesperson provided the following statement about Fantom:

"Microsoft’s free security software, which comes standard with Windows, detects and helps remove Fantom malware. We also encourage customers to practice good computing habits online, including exercising caution when clicking on links to Web pages, opening unknown files, or accepting file transfers."

Ransomware attackers employ a variety of means to fool users into granting access to their machines, but this is a crafty one. It also targets a massive portion of business users, most of whom work on Windows machines.

Fantom is particularly threatening to the enterprise because it mimics a screen most business users recognize. The cybercriminals are betting employees will believe the upgrade prompt is legitimate and download the ransomware without thinking twice.

"[Fantom] is part of an increasing trend of malicious software that mimics things we know and trust," says Norman Guadagno, chief evangelist at Carbonite. "This makes it frightening, and potentially even more dangerous, in an enterprise scenario because we're all used to seeing those Windows Update screens."

He says it's important for businesses to notify users of this threat and to convey how Windows Update is handled inside the organization. They should also encourage precautionary measures; for example, ensuring computers are backed up so that if they're infected, they can be rolled back without a ransom payment.

If a victim doesn't have his or her data backed up, oftentimes they end up paying the ransom, Guadagno says. Most ransomware attackers will release files after payment is received, however, he notes.

IT managers should be on alert for this type of attack, as ransomware statistics indicate this threat is a growing risk to businesses. In a 2016 mid-year Trend Micro report, researchers claim more new ransomware families appeared in the first half of 2016 than throughout all of 2015.

The report showed 79 new ransomware families were added in the first half of this year. These, combined with older variants of the malware, have cost businesses $209 million in monetary losses so far in 2016.

Ransomware is normally considered a bigger risk for small- to midsized business or individual users, but Trend Micro found the first half of 2016 also brought a spike in ransomware built to target business systems. New variants of enterprise-focused malware include CRYPSAM and CRYPRADAM AND KIMCIL.

Some companies manage their users' Windows Updates, but not all businesses have the resources to do this. Home-based and remote workers are especially vulnerable as they typically install their own updates.

Related Content:

Kelly is an associate editor for InformationWeek. She most recently reported on financial tech for Insurance & Technology, before which she was a staff writer for InformationWeek and InformationWeek Education. When she's not catching up on the latest in tech, Kelly enjoys ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 3   >   >>
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
9/1/2016 | 1:12:05 PM
Re: Windows 10 affected?
Ultimately, the best advice: Just be extra careful with what you click on, use adblockers, and disable Flash and Java unless you REALLY REALLY REALLY trust the site.  And never click an attachment or link in an email unless you're expecting it and know what it is (and you trust the sender).
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
9/1/2016 | 1:08:18 PM
Re: SMH
Oh, yes, I definitely understand it (heck, even I have issues with the chip scanners sometimes -- especially because of the inconsistency among retailers).  It just used to be much easier and more straightforward.  (But, of course, fewer people had personal computers back then.)

Now stop skateboarding on the sidewalk!
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
9/1/2016 | 8:11:19 AM
Re: Windows 10 affected?
Ransomware still creeps me out the most but at least I have a tonne of backups. But I'd rather be aware and scared, I can't imagine the shock of having all of your most personal files and folders encrypted out of the blue with no warning. 
emjones_uow
50%
50%
emjones_uow,
User Rank: Apprentice
9/1/2016 | 6:23:25 AM
Re: VPN for Additional Security
The ones i mentioned, keeps no log and there are many who does'nt either. I know there are VPNs working in grey areas but not to forget the core purpose of having a VPN. Organizations have it, to secure their network, obviously there are other factors aswell but sparing a small amount for an additional security is the least a simple internet user can do. Makes it difficult to hack ones IP as VPN ensures anonymity. 
lorraine89
50%
50%
lorraine89,
User Rank: Ninja
9/1/2016 | 6:12:59 AM
Re: VPN for Additional Security
How has your experience been with Purevpn? I have read good reviews about their connectivity.
jcavery
50%
50%
jcavery,
User Rank: Moderator
8/31/2016 | 7:50:28 PM
Re: Windows 10 affected?
Ahyup,   XP through 10
jcavery
50%
50%
jcavery,
User Rank: Moderator
8/31/2016 | 7:28:25 PM
Re: SMH
If you have ever gotten behind the wrong person in line at a grocery store with the chipped debit cards, you can understand why that person might also have trouble configuring a reliable backup system on their PC. Back in my day the only chips in a grocery store were right next to the salsa!

That ball that flew over my fence? I'm keeping it. It's mine now.
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
8/31/2016 | 2:25:29 PM
Re: SMH
@jcavery: It's kind of dumb if you think about it.  Floppy drives used to come standard on computers (both desktops and laptops).  Local backup was a breeze.  Now floppy drives are considered obsolete because we have thumb drives.  Except thumb drives are still pretty expensive -- unless you get free ones at conferences...which may be infected with malware.

Meanwhile, I've got an old ZIP Drive and ZIP Disks kicking around somewhere and I can't get to what's backed up on those from years ago because nobody makes machines with those printer ports anymore.

Now I'm cranky and wistful for the good old days.  Get off my lawn.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/31/2016 | 2:22:08 PM
Re: Ransomware
Ransomware sort of became this logical next step once the spamming business for black-market pharmaceuticals went under.  Black hatters needed to find a different way to leverage their botnets, their resources, their skillz.

In our attempt to kill a fly, we let in a hornet.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/31/2016 | 2:19:24 PM
Re: VPN for Additional Security
In addition or as an alternative, one could work with a virtual sandbox (like sandbox.ie).  One InfoSec guy I know swears by them for protecting against ransomware specifically, among other threats.
Page 1 / 3   >   >>
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.