Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove Fantom Virus and Decrypt .fantom Files

STF-fantom-ransomware-top-virus-small

Fantom ransomware is a new crypto-virus that is based on the open-source EDA2 project. The virus locks files and claims to use the RSA-4096 and AES-256 algorithms for their encryption. When the encryption is complete, the ransomware puts files with instructions for paying on your desktop. All files have the .fantom extension appended. To remove the virus and see what you can try to restore your files, you should read the article, carefully.

UPDATE! A new variant for this ransomware is found. You can read about it in
the “New Fantom Virus” article in this blog.

Threat Summary

Name Fantom
Type Ransomware, Crypto-Virus
Short Description The ransomware encrypts files with nearly 600 extensions and claims to have used RSA-4096 and AES-256 algoritms for the encryption process. It demands that you buy a decryption password from the virus makers.
Symptoms The ransomware will lock all files with the .fantom extension appended to them and display a ransom note with instructions on your desktop.
Distribution Method Spam Emails, Email Attachments, Executable Files
Detection Tool See If Your System Has Been Affected by Fantom

Download

Malware Removal Tool

User Experience Join Our Forum to Discuss Fantom.

Fantom Virus – Delivery Ways

The Fantom virus is likely to use several delivery ways. Targeted attacks are not evident yet. Spam email campaigns might be the main cause for delivering the ransomware. A spam email will consist of a short description that sounds important and the full information, or a needed program is to be found as files attached to the letter. Files in these attachments could seem plain, but upon opening, a file can release the payload of the ransomware and infect your computer.

Social media and file-sharing services are another two ways for possible delivery of the Fantom virus. A file containing a malicious script inside it could be put on these networks and be presented as a useful program. Opening the file executes the payload, and your system is infected. An advice you should follow to prevent that from happening is to avoid suspicious emails, links, and files. When you are about to open a file, first check its signatures, size and try scanning it with security software. You can see more ransomware prevention tips from our forum.

Fantom Virus – Technical Analysis

The Fantom virus is a ransomware that is based on the new EDA2 open-source project. That project was created with educational purposes by a researcher, but it has been used in many real-life attacks. The Fantom ransomware was discovered by the researcher Jakub Kroustek.

After infection, the payload file will create the following files on your computer:

  • [Path of the executable]\WindowsUpdate.exe
  • [Path of the executable]\update.bat
  • %AppData%\delback.bat
  • %UserProfile%\2d5s8g4ed.jpg

The WindowsUpdate.exe file is used to bring up a screen of a Windows Update, which is fake. You can view that screen right here:

STF-fantom-ransomware-windows-update-fake-configuration-of-updates

The screen will be locked and will not allow interaction with it or any other windows as it will be on top of them all. If you see the screen, know that your files are being encrypted in the background. You can close the screen using the Ctrl + F4 key combination, but that won’t stop the encrypting process. The screen increases the percentage show on it to fake the rise in activity of your disk drives.

Next, the Fantom ransomware will create the following entries in the Windows Registry:

→HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = 1

→HKCU\Control Panel\Desktop\ “Wallpaper” “%UserProfile%\How to decrypt your files.jpg”

The first entry is set to disable the Windows Task Manager. The latter entry refers to the picture that will be placed as your wallpaper after the process of file encryption is done. You can see how that wallpaper looks like and see why the virus is named Fantom:

STF-fantom-ransomware-top-virus-ransom-message-wallpaper

After all of your files get encrypted, the file DECRYPT_YOUR_FILES.HTML will be created. As you can see below, that is the actual ransom note of the Fantom virus:

STF-fantom-ransomware-ransom-instructions-note

The text on there reads:

Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.
That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.
Getting a decryption of your files is – SIMPLY task.

That all what you need:
1. Sent Your ID_KEY on mailbox [email protected] or [email protected]
2. For test, decrypt 2 small files, to be sure that we can decrypt you files.
3. Pay our services.
4. GET software with passwords for decrypt you files.
5. Make measures to prevent this type situations again.

IMPORTANT(1)
Do not try restore files without our help, this is useless, and can destroy you data permanetly.

IMPORTANT(2)
We Cant hold you decryption passwords forever.
ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption.
Your ID_KEY:

That ransom note looks very familiar as other ransomware viruses have used variations of it:

The Fantom virus has no set deadline or price for paying the ransom, but warns that the decryption keys will not be kept forever on the servers of criminals. The ransomware points to two emails for contacting the cyber criminals:

  • [email protected]
  • [email protected]

Do NOT contact the cyber crooks about decryption. No guarantee exists that you will get your files back, and any monetary support will aid them with their criminal activity.

The Fantom ransomware encrypts a huge amount of different file types. The ransomware searches to encrypt files which have the following extensions:

STF-fantom-ransomware-.fantom-extension

→.001, .1cd, .3d, .3d4, .3df8, .3fr, .3g2, .3gp, .3gp2, .3mm, .7z, .aac, .abk, .abw, .ac3, .accdb, .ace, .act, .ade, .adi, .adpb, .adr, .adt, .ai, .aim, .aip, .ais, .amf, .amr, .amu, .amx, .amxx, .ans, .ap, .ape, .api, .apk, .arc, .arch00, .ari, .arj, .aro, .arr, .arw, .asa, .asc, .ascx, .ase, .asf, .ashx, .asmx, .asp, .aspx, .asr, .asset, .avi, .avs, .bak, .bar, .bay, .bc6, .bc7, .bck, .bdp, .bdr, .bib, .bic, .big, .bik, .bkf, .bkp, .blob, .blp, .bmc, .bmf, .bml, .bmp, .boc, .bp2, .bp3, .bpl, .bsa, .bsp, .cag, .cam, .cap, .car, .cas, .cbr, .cbz, .cc, .ccd, .cch, .cd, .cdr, .cer, .cfg, .cfr, .cgf, .chk, .clr, .cms, .cod, .col, .cp, .cpp, .cr2, .crd, .crt, .crw, .cs, .csi, .cso, .css, .csv, .ctt, .cty, .cwf, .d3dbsp, .dal, .dap, .das, .dayzprofile, .dazip, .db0, .dbb, .dbf, .dbfv, .dbx, .dcp, .dcr, .dcu, .ddc, .ddcx, .dem, .der, .desc, .dev, .dex, .dic, .dif, .dii, .dir, .disk, .divx, .diz, .djvu, .dmg, .dmp, .dng, .dob, .doc, .docm, .docx, .dot, .dotm, .dotx, .dox, .dpk, .dpl, .dpr, .dsk, .dsp, .dvd, .dvi, .dvx, .dwg, .dxe, .dxf, .dxg, .elf, .epk, .eps, .eql, .erf, .err, .esm, .euc, .evo, .ex, .exif , .f90, .faq, .fcd, .fdr, .fds, .ff, .fla, .flac, .flp, .flv, .for, .forge, .fos, .fpk, .fpp, .fsh, .gam, .gdb, .gho, .gif, .grf, .gthr, .gz, .gzig, .gzip, .h3m, .h4r, .hkdb, .hkx, .hplg, .htm, .html, .hvpl, .ibank, .icxs, .idx, .ifo, .img, .indd, .ink, .ipa, .isu, .isz, .itdb, .itl, .itm, .iwd, .iwi, .jar, .jav, .java, .jc, .jfif, .jgz, .jif, .jiff, .jpc, .jpe, .jpeg, .jpf, .jpg, .jpw, .js, .json, .kdb, .kdc, .kf, .kmz, .kwd, .kwm, .layout, .lbf, .lbi, .lcd, .lcf, .ldb, .lgp, .litemod, .log, .lp2, .lrf, .ltm, .ltr, .ltx, .lvl, .m2, .m2v, .m3u, .m4a, .mag, .man, .map, .max, .mbox, .mbx, .mcd, .mcgame, .mcmeta, .md, .md3, .mdb, .mdbackup, .mddata, .mdf, .mdl, .mdn, .mds, .mef, .menu, .mic, .mip, .mkv, .mlx, .mod, .mov, .moz, .mp3, .mp4, .mpeg, .mpg, .mpqge, .mrw, .mrwref, .msg, .msp, .mxp, .nav, .ncd, .ncf, .nds, .nef, .nfo, .now, .nrg, .nri, .nrw, .ntl, .odb, .odc, .odf, .odi, .odm, .odp, .ods, .odt, .odtb .oft, .oga, .ogg, .opf, .orf, .owl, .oxt, .p12, .p7b, .p7c, .pab, .pak, .pbf, .pbp, .pbs, .pcv, .pdd, .pdf, .pef, .pem, .pfx, .php, .pkb, .pkh, .pkpass, .pl, .plc, .pli, .pm, .png, .pot, .potm, .potx, .ppd, .ppf, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prc, .prt, .psa, .psd, .psk, .pst, .ptx, .puz, .pwf, .pwi, .pwm, .pxp, .py, .qbb, .qdf, .qel, .qic, .qif, .qpx, .qtq, .qtr, .r3d, .ra, .raf, .rar, .raw, .rb, .re4, .res, .rev, .rgn, .rgss3a, .rim, .rng, .rofl, .rrt, .rsrc, .rsw, .rte, .rtf, .rts, .rtx, .rum, .run, .rv, .rw2, .rwl, .sad, .saf, .sav, .sb, .sc2save, .scm, .scn, .scx, .sdb, .sdc, .sdn, .sds, .sdt, .sen, .sfs, .sfx, .sh, .shar, .shr, .shw, .sid, .sidd, .sidn, .sie, .sis, .slm, .sln, .slt, .snp, .snx, .so, .spr, .sql, .sqx, .sr2, .srf, .srt, .srw, .ssa, .std, .stt, .stx, .sud, .sum, .svg, .svi, .svr, .swd, .swf, .syncdb, .t12, .t13, .tar, .tax, .tax2015, .tax2016, .tbz2, .tch, .tcx, .text, .tg, .thmx, .tif, .tlz, .tor, .tpu, .tpx, .trp, .tu, .tur, .txd, .txf, .txt, .uax, .udf, .umx, .unity3d, .unr, .unx, .uop, .upk, .upoi, .url, .usa, .usx, .ut2, .ut3, .utc, .utx, .uvx, .uxx, .val, .vc, .vcd, .vdf, .vdo, .ver, .vfs0, .vhd, .vmf, .vmt, .vob, .vpk, .vpp_pc, .vsi, .vtf, .w3g, .w3x, .wad, .war, .wav, .wave, .waw, .wb2, .wbk, .wdgt, .wks, .wm, .wma, .wmd, .wmdb, .wmmp, .wmo, .wmv, .wmx, .wotreplay, .wow, .wpd, .wpk, .wpl, .wps, .wsh, .wtd, .wtf, .wvx, .x3f, .xf, .xl, .xla, .xlam, .xlc, .xlk, .xll, .xlm, .xlr, .xls, .xlsb, .xlsm, .xlsx, .xltx, .xlv, .xlwx, .xml, .xpi, .xpt, .xvid, .xwd, .xxx, .yab, .yps, .z02, .z04, .zap, .zip, .zipx, .zoo, .ztmp

Source: BleepingComputer

Encrypted files will all have the same extension, which is .fantom. The ransomware claims to use the RSA-4096 and AES-256 encryption algorithms, but in fact uses an AES 128-bit algorithm. After doing its job, the virus deletes most of its files.

The Fantom ransomware possibly deletes the Shadow Volume Copies from the Windows Operating System. Read below to learn some ways in which you can try to decrypt your files.

Remove Fantom Virus and Restore .fantom Files

If your computer got infected with the Fantom ransomware virus, you should have some experience in removing malware. You should get rid of this ransomware as fast as possible before it can have the chance of spreading further and infect more PCs. You should remove the ransomware and follow the step-by-step instructions guide given below. To see ways that you can try to recover your data, see the step titled 3. Restore files encrypted by Fantom.

Manually delete Fantom from your computer

Note! Substantial notification about the Fantom threat: Manual removal of Fantom requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Fantom files and objects.
2. Find malicious files created by Fantom on your PC.
3. Fix registry entries created by Fantom on your PC.

Automatically remove Fantom by downloading an advanced anti-malware program

1. Remove Fantom with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by Fantom in the future
3. Restore files encrypted by Fantom
Optional: Using Alternative Anti-Malware Tools

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.