From a technical point of view, Fantom is almost identical to many of its ransomware lookalikes. It is based on the EDA2 open-source ransomware code, which was developed by Utku Sen as part of a failed experiment. It is, in fact, one of many EDA2-based cryptoblockers, but in its attempts to masquerade its activity, Fantom goes a bit too far.
We don’t know Fantom’s methods of distribution yet. But after it infiltrates a computer, it starts the usual ransomware routine: creates an encryption key, encrypts it, and stores it on a command-and-control server to be used later.
Then the Trojan scans the computer, searching for files of the types it encrypts (more than 350, including popular office document formats, audio, and images). It uses the aforementioned key to encrypt them and adds the extension .fantom to their file names. However, with all of those processes running in the background, the most interesting part is happening right before the victim’s eyes.
Before we jump to that part, it’s worth mentioning that this ransomware executable masquerades as a critical Windows update. And when the malware starts working, it executes not one, but two programs: the cryptor itself and a little program with the innocent-looking name WindowsUpdate.exe.
The latter is used to simulate a genuine-looking Windows Update screen (a blue screen that informs you Windows is being updated). While Fantom is encrypting the user’s files in the background, the message on the screen displays the “update” (in reality, the encryption) progress.
This trick is designed to distract victims from the suspicious activity on their computers. The fake Windows Update runs in full-screen mode, visually blocking access to other programs.
If users become suspicious, they can minimize the fake screen by pressing Ctrl+F4, but that won’t stop Fantom from encrypting files.
When it’s done encrypting, Fantom wipes out its traces (deletes the executables), creates a .html ransom note, copies it into each folder, and replaces the desktop wallpaper with a notification. The attacker provides an e-mail address so the victim can get in touch, discuss the terms of payment, and get further instructions.
Providing contact information is typical for Russian-speaking hackers, by the way, and other signs indicate the culprit’s likely Russian origins as well: the Yandex.ru e-mail address and very bad English. As Bleeping Computer puts it, “the grammar and wording could be one of the worst I have seen in a ransom note to date.”