New Ransomware Copies Windows Update

Wednesday, August 31, 2016 @ 12:08 PM gHale


Another new ransomware shows a fake Windows Update screen while, but in reality it is encrypting the user’s files.

The ransomware is coded on top of EDA2, a ransomware building kit that was open-sourced last year but eventually taken down, said AVG security researcher Jakub Kroustek, who discovered the malware.

RELATED STORIES
New Ransomware Targets Linux
Decrypter Released for New Ransomware
New Ransomware Version Available
Ransomware Decrypters Available

EDA2 contained flaws that allowed researchers to obtain the decryption keys from the ransomware’s C&C server.

Those flaws aren’t there anymore, meaning one of the Fantom coders found them and fixed them, said researchers at Bleeping Computer.

There are no details on Fantom’s distribution. The method used by attackers to plant the malicious file on the user’s computer can be either via spam email or exploit kits.

Either way, the Fantom-infected file is criticalupdate01.exe, and attackers are using the “Windows Security Update” lure to fool users into running their malicious file.

When this happens, the ransomware springs into action by locking the user’s screen and showing fake Windows Update graphics, with a fully functional percentage-based loading timer, just like on the original Windows Update screen.

This screen, though, is a trick. Behind the scenes Fantom is encrypting files. This temporary lock screen can end up removed before it reaches 100 percent by pressing CTRL+F4, but this won’t stop the encryption process.

The ransomware uses classic ransomware encryption by locking files using an AES-128 key and then encrypting this key with a dual RSA key, with the private key stored on the attacker’s server, and a public key left on the user’s PC, researchers said.

To get the private key and unlock their files, users have to contact the attacker by email, which ends up listed in the ransom note, displayed after the encryption process ends.

Fantom shows ransom notes in the form of HTML and TXT files, but it also changes the user’s desktop with a custom screenshot containing the contact details.

At the end of all these operations, Fantom runs two batch scripts that delete its installation files.