Fantom: Weaponizing a Preventive Measure
- Tags: Fantom
If you grew up in the late 80s (and 90s), you are likely to remember the purple spandex clad “Phantom” from newspaper strips. And he loved wearing his drawers over his crime-fighting suit. Most Super Heroes do!
The ‘Fantom’ we are talking about is more a Super Villain than a Super Hero. It’s one of the newer strains of Ransomware and has so far been able to fool a number of unsuspecting users.
Fantom of The Opera
Jakub Kroustek, a malware researcher at AVG was the first to discover Fantom. The Ransomware coding is based on the open-source EDA2 Ransomware project.
The interesting bit about Fantom is, it exploits a precautionary measure against Ransomware to hijack data file: Updates.
Experts encourage regular software updates to patch up vulnerabilities, if any. And here’s a Ransomware that uses the very concept of updates to infect systems.
Now, that is quite like the eponymous Phantom in the Gothic Novel Phantom of the Opera. Secretive, intelligent, sly, and vicious. However, unlike the antihero of the much loved French novel, this Fantom has no redemptive quality whatsoever.
Fantom’s modus operandi is pretty simple but quite ingenious.
It displays a ‘fake’ Windows Update on screen while surreptitiously encrypting the victim’s files in the background. To cover its malicious activity, the Ransomware attempts to add legitimacy to itself by stating ‘Critical Update’ in the File Properties dialogue box.
Fantom’s method of distribution are unknown. But once it has infected a system, it pretty much follows the Ransomware routine.
Create an encryption key, encrypt it and finally, store the key on a command-and-control server to be used later.
It then proceeds to scan the computer and searches for files that it can encrypt – which is over 350 file types – including popular office document formats, audio and images. Thereafter, it uses the aforesaid key to encrypt the files and adds extension.fantom to the file names.
And all of this is carried out right under the user’s nose while he’s looking at a perfectly believable ‘Windows Critical Update’ screen. That kind of ‘stealth capability’ is probably the forte of the US Navy!
No security expert can claim that there’s a ‘Crytoblocker’ or ‘Ransomware Blocker’ that can contain the attacks. Much like virus, Ransomware is contagious. All it takes is one carrier/vector and it spreads to other systems without warning. What is even more alarming is that as far as Fantom is concerned, a decryption key is not yet available to decrypt the affected files.
Once the Ransomware is done encrypting, it creates a .html ransom note, copies it into each folder and flashes the ransom message on the desktop. This means affected users have to pay up for the lost data if it was not backed up.
So why be a victim in the first place? Keep your data backed up and safe from Ransomware!