Fantom Ransomware : Top Things IT Admins Need to Know

A new strain of malware – Fantom ransomware – was discovered in late August, and it’s spooking IT administrators all over the world. Here are a few things you need to know about this highly deceptive trap.

  • Like most other forms of EDA2-based ransomware, Fantom works by creating an un AES-128 key.
  • It will then encrypt it using RSA, an asymmetric cryptographic algorithm, and upload it to the malware developers’ server.
  • Once the program is on a victim’s system, it will scan local drives, encrypt specific file types (up to 350 different types), replace extensions with “.fantom” and display a ransom note which provides directions for contacting the hackers (specifically via email) and regaining access to files.

In this sense, Fantom isn’t unique in its technical execution. At the end of the day, it’s how the malware is delivered that really makes it so sinister.

A Conniving Social Engineering Scheme

In what may just be the cleverest ransomware scheme since PETYA (which infected human resources users by hiding in fake job application emails), Fantom is delivered through a fake Windows Update screen. The forgery is apparently so convincing that “most users, including business users, recognize and even trust [it],” according to Comodo.

Once the user initiates the installation, a file named “WindowsUpdate.exe” will launch. At this point, a Windows update display will commandeer the screen. Again, the ruse is convincing enough that most enterprise users wouldn’t suspect foul play at this point. However, what appears to be a Windows update is in actuality masking the fact that your files are being encrypted.

“There is no means of decrypting Fantom,” DARKReading contributor Kelly Sheridan wrote.

Fantom ransomware is a master of disguise.

Can Such Situations Be Tackled?

By properly educating the lines of business on security best practices, such incidents can be prevented to a certain extent. However, there is a definite need for deploying a robust layered security solution, especially one that offers active protection to make it easier to detect malware such as Fantom, and block it from running on a Windows/ Mac machine.

While there’s no guarantee that Fantom ransomware or another form of malware won’t infect enterprise endpoints, in the event it does, organizations must have a way to quickly mitigate the damage without having to pay a ransom, or suffer through extensive downtime, as IT staff have to manually perform repetitive tasks to restore the computing environment to it’s pristine state.

Solutions like Faronics Deep Freeze, help organizations add a very useful layer of security, in their perimeter of defenses. The resulting IT downtime, in such situations, causes maximum damage and disruption in operations. This can be addressed with minimal efforts, while enabling IT teams to focus on other critical aspects of the disaster recovery plan. With Faronics’ patented ‘Reboot to Restore’ technology, preferred system configurations can be locked down easily, and in the event of any disruption, these pristine configurations can be restored instantly with a simple system restart.

So, yes. Such situations can definitely be tackled with carefully curated layers of security. Contact Faronics to learn more.

About The Author

Matt Williams

A self-proclaimed ‘tech geek’, Matt has worked in technology for a decade and divides his time between blogging and working in IT. A huge New York Giants fan, expert on Reboot Restore Technology when not watching football Matt gets his game on playing Call of Duty with his friends and other tech bloggers.

Sign Up For A 30-Day Trial


Deep Freeze Enterprise

Centralized deployment and management as well as a host of configuration options for the Enterprise.

  • This field is for validation purposes and should be left unchanged.

Ready to find out more about Faronics? Let us know how to reach you.

We're here to help you in any way possible.