Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fantom Ransomware Help Support Topic - .fantom extension DECRYPT_YOUR_FILES.HTM


  • Please log in to reply
17 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:17 PM

Posted 25 August 2016 - 11:26 AM

A new ransomware called Fantom was discovered by AVG malware researcher Jakub Kroustek that is based on the open-source EDA2 ransomware project. The Fantom Ransomware uses an interesting feature of displaying a fake Windows Update screen that pretends Windows is installing a new critical update. In the background, though, Fantom is secretly encrypting a victim's files without them noticing.

 

Fantom will encrypt files using AES-128 encryption and append the .fantom extension to encrypted files.

 

The ransomware will display the ransom note called DECRYPT_YOUR_FILES.HTML that includes the victim's ID key and provides instructions to email fantomd12@yandex.ru or fantom12@techemail.com in order to receive payment instructions.  

html-ransom-note.png

 



BC AdBot (Login to Remove)

 


m

#2 bmcatcah

bmcatcah

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:17 PM

Posted 25 August 2016 - 06:20 PM

I have a client who got hacked with this ransomware over a week ago.  While the infection is no longer running on the machine, the client's files are still encrypted. :killcomp:

 

Tried running TrendMicro's Anti-Ransomware tool - kicked back three possible matches: MENUCOD, XORIST, and XORBAT.  Haven't been able to complete the comparison that the tool needs, but it sounds like it won't be able to decrypt the files.

 

Please keep me posted on any updates to this nasty-azz hackware!!

 

BMac    8^D



#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,951 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:17 PM

Posted 25 August 2016 - 06:45 PM


When or if a solution is found, that information will be provided in this support topic and you will receive notification if subscribed to it. In addition, a news article most likely will be posted on the BleepingComputer front page.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Drigger

Drigger

  • Members
  • 1 posts
  • OFFLINE
  •  

Posted 01 September 2016 - 03:22 AM

Are you able to get a trace on the attack vector being used in this case?

 

A new ransomware called Fantom was discovered by AVG malware researcher Jakub Kroustek that is based on the open-source EDA2 ransomware project. The Fantom Ransomware uses an interesting feature of displaying a fake Windows Update screen that pretends Windows is installing a new critical update. In the background, though, Fantom is secretly encrypting a victim's files without them noticing.

 

Fantom will encrypt files using AES-128 encryption and append the .fantom extension to encrypted files.

 

The ransomware will display the ransom note called DECRYPT_YOUR_FILES.HTML that includes the victim's ID key and provides instructions to email fantomd12@yandex.ru or fantom12@techemail.com in order to receive payment instructions.  

html-ransom-note.png

 



#5 cybercynic

cybercynic

  • Members
  • 553 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:08:17 PM

Posted 05 September 2016 - 03:06 PM

@TheGear:

 

As you can see, there is very little information available on this ransomware. See this article for some additional info: http://www.bleepingcomputer.com/news/security/fantom-ransomware-encrypts-your-files-while-pretending-to-be-windows-update/


We are drowning in information - and starving for wisdom.


#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:17 PM

Posted 05 September 2016 - 04:30 PM

@TheGear

 

This ransomware does not do anything that would destroy a partition or anything like that. It simply encrypts the data and messes with safe boot and all of that. You should be able to see the partition without any trouble. You may have something else going on.

 

This ransomware is suspected to be part of the RemindMe/Sanction/NegozI family, the ransom note is the same and the code is formatted similarly.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 TheGear

TheGear

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:07:17 PM

Posted 06 September 2016 - 01:14 PM

OK, Knoppix was able to get me to this disk, but not mount it. Since no OS was willing to mount it, I had worried that perhaps the MBR or some other critical part of the disk had been encrypted or otherwise mangled. Apparently not the case, but there's no detectable file system.  

 

Two questions:

 

1. Does anybody who's analyzing Fantom need a limited dump of some specific part of the disk? (Recall, I powered down in the middle of Fantom's nefarious operation, hoping to recover non-encrypted files.)

 

2. Should I hang on to this disk as-is and install a new one for recovery, hoping that the encryption could be broken later on?  Or just reformat and restore? (I think the answer to that is that since no files are recoverable at this time, I wouldn't be able to get to the public key the bad guys used anyhow.)

 

Thanks



#8 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:17 PM

Posted 06 September 2016 - 01:22 PM

We have the source code of this one, no need for a disk dump. It is based on the EDA2 project, and secures its keys properly. The (securely generated) AES key is encrypted with a public RSA-2048 key before it is sent over the network. The only chance of recovering data will be if the criminals are caught and/or the keys are seized from their database.

 

You can certainly hang on to the encrypted data. If the keys are leaked, we would just need the files, and the names of the computer and infected username to match up with the key dump (I have a program that can iterate the keys and test them on a file anyways, so that isn't a huge priority). Due to a bug in the EDA2 webpanel source code, there is a key collision if another victim has the same computer name, which would overwrite your key - yet another issue with these variants.


Edited by Demonslay335, 06 September 2016 - 01:23 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#9 VGER

VGER

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:17 PM

Posted 01 October 2016 - 03:15 PM

Hi,

Unfortunately, I think I just got this on my main home PC.  Thanks in advance for any help you can provide.  I got the restart and the fake update screen.  I powered off the machine at about 50%.  I had an external backup drive connected to it that I disconnected early on, maybe at 10%.  So, my questions are:  

 

When I power up the PC, will the encryption software start up again?  

If so, how can I kill it and delete it?

Is it likely that my external backup is okay?

 

I'm hoping I can delete the maleware and all the .fantom files, and then copy my data files back from the external.

 

 

Any help would be very much appreciated!  I'll leave the PC powered off until for now.



#10 TheGear

TheGear

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:07:17 PM

Posted 01 October 2016 - 03:36 PM

VGER, I'm about to embarrass myself in public for you, a total stranger.

 

For review:   I walked up to my computer and found it in the middle of a verrrry slow "system update." I did a google and quickly found a pic of a ransomware that looked precisely like my screen (the standard Microsoft wait-while-we-upgrade screen), so I crowbarred my system down at 42% complete. From that point, I was unable to mount the disk, so I assumed that the Bad Guys had played with the MBR or something to prevent interruptions like I had done. To me, all signs pointed to ransomware.

 

Fast forward a week, and I've bought a new disk and rebuilt it. I finally thought to myself, why not plug in the old disk and see if it will go to completion with its encryption, in the hope that the good folks at Bleeping will find the decryption key. So I did. A few hours later, my Windows 10 system was up and running, healthy as ever, and passing three different AV scans with no problems at all.

 

The point of all this verbiage is that I didn't have a virus or ransomware, it was just a really long system upgrade. You might want to think about running that risk and seeing what happens. After all, your problem happened about the same time, plus or minus, as mine, so it could be the same upgrade.



#11 VGER

VGER

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:17 PM

Posted 01 October 2016 - 04:12 PM

TheGear,

Thanks very much for this info.  Man, that would be the best case scenario I can imagine.  It appears that my external backup is fine.  I plugged it into an old laptop I have.  All the data is there and the laptop does not appear to be getting infected from it.  So, that's a big relief.  

 

I reason I suspected ransomware right away, is that I had just restarted the machine an hour before the incident with no issues.  Then after stupidly clicking on a link that I should not have, I got a pop up saying an app was being installed.  I quickly killed that and started a full Windows Defender scan.  I then (prior to Defender finishing) decided to restart the machine again (to hopefully kill any encrytion app running in background) and planned to restart the Defender scan at that point.  So, I then became suspicious when the restart was taking a long time, did a search and found this site.

 

Given that my backup drive seems to be fine (and is no longer connected to the suspect machine), maybe I should power up and cross fingers?  Can't I hit something like Ctrl-F4 to close the fake Windows Update screen (assuming it's fake) and may then I could search for .fantom files to determine for sure what this is?  I guess if Ctrl-F4 closes the Update screen is that proof enough?

 

thanks again!



#12 VGER

VGER

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:17 PM

Posted 01 October 2016 - 06:06 PM

Wow, I think I need a beer....   Based on TheGear's comments and the finding that my backup drive seemed to be fine, I decided to boot up the suspect machine.  It booted to a Windows recovery screen saying it was restoring my previous Windows 10 system.  After about 5 minutes or so, it rebooted and my good old wallpaper and desktop appeared.  I check Taskmanager to see if any of the Fantom exes were running and found none.  I then did a search of both my boot and data drives for any of the known Fantom files and any .fantom files.  None.  I then ran a Quick Windows Defender run and it found nothing....  I'm now running a Full Defender run just to be sure.  So, it appears that I'm paranoid, and panicked for no reason.  

 

I guess this is a lesson-learned for others that may go down this path..... it just really may be a simple authentic Windows update running.  Some take a very long time.

 

Thanks again to TheGear.  I would have bet money this was Fantom.

 

And now to the beer...... 



#13 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:17 PM

Posted 01 October 2016 - 08:10 PM

@VGER

 

Glad to hear the threat wasn't real. Take it as a good test of your backup strategy. :)


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#14 VGER

VGER

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:17 PM

Posted 01 October 2016 - 09:38 PM

@Demonslay335

 

Roger that!  

 

My full Windows Defender scan is completed now.  All looks good.  Man, this was a scare, though!  



#15 TheGear

TheGear

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:07:17 PM

Posted 02 October 2016 - 11:20 PM

To kind of put a cap on this story, it turns out that what we've been dealing with is a lousy Windows upgrade that gets caught in a loop of failing install, deinstalling itself, then reinstalling. My computer is doing a reinstall as I type this.

 

I'm going to try to put a URL here, if the site will allow it. If not, it's from Thurrott.com, and is title is "Microsoft Delivers Yet Another Broken Windows 10 Update"

 

https://www.thurrott.com/windows/windows-10/81659/microsoft-delivers-yet-another-broken-windows-10-update






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users