August 29, 2016Tyler Moffitt By Tyler Moffitt

Fantom ransomware impersonates Windows update


Fantom_PropertiesWindows 10 has been notorious about automatically installing updates on users’ machines and now there is a ransomware that aims to capitalize on it. The new ransomware, Fantom, is based on the EDA2 open-source ransomware project on GitHub called hidden tear that’s recently been abandoned.

Fantom behind the scenes

In an attempt to conceal malicious intention, the authors of this ransomware modified the file properties to show copyright and legal trademarks mimicking a Windows update.

Once this dropper is executed, the payload “WindowsUpdate.exe” is dropped in AppData\Local\Temp displaying the fake Windows Update screen as shown below. This screen locks you out of doing anything else on your computer, keeping in line with the scam that Windows 10 doing its normal interrupt of updates.

The percentage counter does work and will go up at about a percent per minute. However, it’s fake and doesn’t represent anything other than to communicate to you that this “Windows update” will take a while and that you shouldn’t be alarmed of CPU usage and hard drive activity. You can close this fake update overlay by ending the process “WindowsUpdate.exe” using task manager, but the encryption of your files is unaffected.



Encryption is done using AES-128 encryption and when a file is encrypted it will append “.fantom” to the extension of the file. Also in every directory that a file is encrypted, a standard ransom note “DECRYPT_YOUR_FILES.HTML” is created.

The ransom note doesn’t have an onion link as your payment portal for your files – a standard for most encrypting ransomware. Instead, you’re asked to email the cyber criminals and await response. This tactic is meant to target less savvy computer users who would be intimidated by creating a bitcoin wallet address and using a tor browser to connect to the darknet for ransom payment. To increase odds of gaining trust, two “freebie” files for decryption are allowed.


However, it’s clear that these cyber criminals have a very loose grip on the English language so we don’t anticipate much traction with their scams through email. We also reached out as a test and have yet to hear back in over 24 hours.




Employ a backup solution

Webroot will catch this specific variant in real time before any encryption takes place. We’re always on the lookout for new threats, but just in case of new zero-day variants, remember that with encrypting ransomware, the best protection is going to be a good backup solution. This can be either through the cloud or offline external storage. Keeping it up to date is key so as not to lose productivity. Webroot has backup features built into our consumer product that allow you to have directories constantly synced to the cloud. If you were to get infected by a zero-day variant of encrypting ransomware, you can just restore your files back as we save a snapshot history for each of your files up to ten previous copies. Please see our community post on best practices for securing your environment against encrypting ransomware.

MD5 Analyzed: 7D80230DF68CCBA871815D68F016C282

Additional MD5 seen: 4AC83757EBF7ACD787F732AA398E6D53

Share Button

31 Responses to Fantom ransomware impersonates Windows update

    • Solve it by keeping a backup of all your data for at least 30 days. if you’re on a thin budget then download VEEAM free edition and backup to a basic external hard drive. Restoring your files or entire system is really easy.

  1. Another thing that I do is employ a External USB Backup drive. I don’t leave this drive connected to my home network. I attach the drive and about twice a month, I run a full image backup.

    The reason for the image backup is that it will also restore the Operating System.

    I also have Webroot Internet Complete Security. In addition I use all of the following FREE programs. CCleaner, Malwarebytes, SuperAntiSpyware. Now I have found that I don’t always find any additional issues between Malwarbytes and SuperAntiSpyware but on an occasion, I do.

    Before I run any of these programs, I always make sure that I update any definitions that are available and then run the program. I do this at least twice a week.

  2. My laptop did a fairly long Windows 10 update yesterday, and then again when I turned it on this morning. But I don’t see any “.fantom” files, or ransom note. I have a directory under C:/Program Files/Application Data that I can’t open (“Access is denied”). How do I know if I got hit with this one?

  3. My computer was hacked by one of those update messages for windows 10. I clicked on the “x” to dismiss it and everything just stopped and froze up. No curser, couldn”t turn the computer off, nothing worked. Pulled the plug, waited for 15 minutes and tried to restart the computer. Nothing will work, just a message saying diagnostics unable to restart the computer. so that computer is sitting in a brown box rusting away with all my data in it. Bummer!

    • So sorry to hear that, Joseph!

      For future reference for you, any threat related concerns/questions can always be directed to our Advanced Malware Removal Team for review. This is a service we offer to all of our Customers with an active subscription at no charge.

      Support Number: 1-866-612-4227 M-F 7am−6pm MT
      Send us a Support Ticket:

      Warm Regards,
      Josh P.
      Social Media Coodinator

  4. I have two questions:
    Josh, I have a Webroot subscription still on my old XP computer and would like to transfer it to my W-7 laptop. Do I call tech support to do this? Do I have your backup feature too as mentioned above?

    I use a Seagate external HD for my PC backups. Will this suffice to reinstall everything in the event I’m hit with the ransomware? Thanks, Jim J.

    • Hello,

      You will absolutely be able to transfer your subscription to your new laptop as long as it is still active.

      You can email me directly with the account I can find you with:

      or reach out to Tech Support directly as you mentioned for assistance with transferring your Webroot Security:
      Support Number: 1-866-612-4227 M-F 7am−6pm MT
      Send us a Support Ticket:

      In regards to the external hard-drive backups, that is the most optimal way to mitigate risk of Ransomware. Whatever you have backed up externally is completely safe from intruders.

      Please let me know if I can help answer anything else for you at all.

      Warm Regards,
      Josh P.
      Social Media Coodinator

  5. Several days ago a red screen came on with the Windows 10 upgrade.I wasn’t asked to do anything nor had an opportunity to lasted quite sometime.Next day it came on again and I just shut off the computer.Why wasn’t I ever informed ahead of time that this maybe a bogus upgrade.what is web root worth if only after you e-mail meand tell me of it.

  6. So to be clear. Is this automatically installed like a real windows update or does a user have to choose to “update” How is it delivered.

    • The user has to execute the “update”. It is not installed automatically like Genuine Microsoft Windows Updates.

      Warm Regards,
      Josh P.
      Social Media Coordindator

  7. Does this ransomware execute automatically during bootup like other Windows updates or does the victim have to execute it manually?

    • The user has to execute the “update”. It is not installed automatically like Genuine Microsoft Windows Updates.

      Warm Regards,
      Josh P.
      Social Media Coordindator

  8. This article fails to mention how the ransomware makes it on to our computers. Do we have to click a link to download, or have they found a way to place it without the user actually clicking or downloading?

  9. Have been hit with this fake-Windows-10-Update ransomware twice. Managed to fix it myself (NOT a tech pro), but it was very time-consuming and many-expletives-deleted annoying. An ounce of prevention is worth a pound of cure, so how does this type of ransomware get on our computers in the first place, and how can we avoid it? Thanks!

  10. I have webroot so will they know if i have been hit. i don’t know for sure but i think i may have fallen for it yesterday. I was told to update when asked but i don’t really know what is what. in beginning i never did update on my old computer, it fell so behind i could not use some programs. I think i may have Kapersky and Geek squad. or who is supposed to help me?

Leave a Reply

Your email address will not be published. Required fields are marked *