Remove Fantom Virus and Decrypt .fantom Files - How to, Technology and PC Security Forum |

Remove Fantom Virus and Decrypt .fantom Files


Fantom ransomware is a new crypto-virus that is based on the open-source EDA2 project. The virus locks files and claims to use the RSA-4096 and AES-256 algorithms for their encryption. When the encryption is complete, the ransomware puts files with instructions for paying on your desktop. All files have the .fantom extension appended. To remove the virus and see what you can try to restore your files, you should read the article, carefully.

Threat Summary

TypeRansomware, Crypto-Virus
Short DescriptionThe ransomware encrypts files with nearly 600 extensions and claims to have used RSA-4096 and AES-256 algoritms for the encryption process. It demands that you buy a decryption password from the virus makers.
SymptomsThe ransomware will lock all files with the .fantom extension appended to them and display a ransom note with instructions on your desktop.
Distribution MethodSpam Emails, Email Attachments, Executable Files
Detection Tool See If Your System Has Been Affected by Fantom


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Fantom.

Fantom Virus – Delivery Ways

The Fantom virus is likely to use several delivery ways. Targeted attacks are not evident yet. Spam email campaigns might be the main cause for delivering the ransomware. A spam email will consist of a short description that sounds important and the full information, or a needed program is to be found as files attached to the letter. Files in these attachments could seem plain, but upon opening, a file can release the payload of the ransomware and infect your computer.

Social media and file-sharing services are another two ways for possible delivery of the Fantom virus. A file containing a malicious script inside it could be put on these networks and be presented as a useful program. Opening the file executes the payload, and your system is infected. An advice you should follow to prevent that from happening is to avoid suspicious emails, links, and files. When you are about to open a file, first check its signatures, size and try scanning it with security software. You can see more ransomware prevention tips from our forum.

Fantom Virus – Technical Analysis

The Fantom virus is a ransomware that is based on the new EDA2 open-source project. That project was created with educational purposes by a researcher, but it has been used in many real-life attacks. The Fantom ransomware was discovered by the researcher Jakub Kroustek.

After infection, the payload file will create the following files on your computer:

  • [Path of the executable]\WindowsUpdate.exe
  • [Path of the executable]\update.bat
  • %AppData%\delback.bat
  • %UserProfile%\2d5s8g4ed.jpg

The WindowsUpdate.exe file is used to bring up a screen of a Windows Update, which is fake. You can view that screen right here:


The screen will be locked and will not allow interaction with it or any other windows as it will be on top of them all. If you see the screen, know that your files are being encrypted in the background. You can close the screen using the Ctrl + F4 key combination, but that won’t stop the encrypting process. The screen increases the percentage show on it to fake the rise in activity of your disk drives.

Next, the Fantom ransomware will create the following entries in the Windows Registry:

→HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = 1

→HKCU\Control Panel\Desktop\ “Wallpaper” “%UserProfile%\How to decrypt your files.jpg”

The first entry is set to disable the Windows Task Manager. The latter entry refers to the picture that will be placed as your wallpaper after the process of file encryption is done. You can see how that wallpaper looks like and see why the virus is named Fantom:


After all of your files get encrypted, the file DECRYPT_YOUR_FILES.HTML will be created. As you can see below, that is the actual ransom note of the Fantom virus:


The text on there reads:

Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.
That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.
Getting a decryption of your files is – SIMPLY task.

That all what you need:
1. Sent Your ID_KEY on mailbox [email protected] or [email protected]
2. For test, decrypt 2 small files, to be sure that we can decrypt you files.
3. Pay our services.
4. GET software with passwords for decrypt you files.
5. Make measures to prevent this type situations again.

Do not try restore files without our help, this is useless, and can destroy you data permanetly.

We Cant hold you decryption passwords forever.
ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption.
Your ID_KEY:

That ransom note looks very familiar as other ransomware viruses have used variations of it:

The Fantom virus has no set deadline or price for paying the ransom, but warns that the decryption keys will not be kept forever on the servers of criminals. The ransomware points to two emails for contacting the cyber criminals:

Do NOT contact the cyber crooks about decryption. No guarantee exists that you will get your files back, and any monetary support will aid them with their criminal activity.

The Fantom ransomware encrypts a huge amount of different file types. The ransomware searches to encrypt files which have the following extensions:


→.001, .1cd, .3d, .3d4, .3df8, .3fr, .3g2, .3gp, .3gp2, .3mm, .7z, .aac, .abk, .abw, .ac3, .accdb, .ace, .act, .ade, .adi, .adpb, .adr, .adt, .ai, .aim, .aip, .ais, .amf, .amr, .amu, .amx, .amxx, .ans, .ap, .ape, .api, .apk, .arc, .arch00, .ari, .arj, .aro, .arr, .arw, .asa, .asc, .ascx, .ase, .asf, .ashx, .asmx, .asp, .aspx, .asr, .asset, .avi, .avs, .bak, .bar, .bay, .bc6, .bc7, .bck, .bdp, .bdr, .bib, .bic, .big, .bik, .bkf, .bkp, .blob, .blp, .bmc, .bmf, .bml, .bmp, .boc, .bp2, .bp3, .bpl, .bsa, .bsp, .cag, .cam, .cap, .car, .cas, .cbr, .cbz, .cc, .ccd, .cch, .cd, .cdr, .cer, .cfg, .cfr, .cgf, .chk, .clr, .cms, .cod, .col, .cp, .cpp, .cr2, .crd, .crt, .crw, .cs, .csi, .cso, .css, .csv, .ctt, .cty, .cwf, .d3dbsp, .dal, .dap, .das, .dayzprofile, .dazip, .db0, .dbb, .dbf, .dbfv, .dbx, .dcp, .dcr, .dcu, .ddc, .ddcx, .dem, .der, .desc, .dev, .dex, .dic, .dif, .dii, .dir, .disk, .divx, .diz, .djvu, .dmg, .dmp, .dng, .dob, .doc, .docm, .docx, .dot, .dotm, .dotx, .dox, .dpk, .dpl, .dpr, .dsk, .dsp, .dvd, .dvi, .dvx, .dwg, .dxe, .dxf, .dxg, .elf, .epk, .eps, .eql, .erf, .err, .esm, .euc, .evo, .ex, .exif , .f90, .faq, .fcd, .fdr, .fds, .ff, .fla, .flac, .flp, .flv, .for, .forge, .fos, .fpk, .fpp, .fsh, .gam, .gdb, .gho, .gif, .grf, .gthr, .gz, .gzig, .gzip, .h3m, .h4r, .hkdb, .hkx, .hplg, .htm, .html, .hvpl, .ibank, .icxs, .idx, .ifo, .img, .indd, .ink, .ipa, .isu, .isz, .itdb, .itl, .itm, .iwd, .iwi, .jar, .jav, .java, .jc, .jfif, .jgz, .jif, .jiff, .jpc, .jpe, .jpeg, .jpf, .jpg, .jpw, .js, .json, .kdb, .kdc, .kf, .kmz, .kwd, .kwm, .layout, .lbf, .lbi, .lcd, .lcf, .ldb, .lgp, .litemod, .log, .lp2, .lrf, .ltm, .ltr, .ltx, .lvl, .m2, .m2v, .m3u, .m4a, .mag, .man, .map, .max, .mbox, .mbx, .mcd, .mcgame, .mcmeta, .md, .md3, .mdb, .mdbackup, .mddata, .mdf, .mdl, .mdn, .mds, .mef, .menu, .mic, .mip, .mkv, .mlx, .mod, .mov, .moz, .mp3, .mp4, .mpeg, .mpg, .mpqge, .mrw, .mrwref, .msg, .msp, .mxp, .nav, .ncd, .ncf, .nds, .nef, .nfo, .now, .nrg, .nri, .nrw, .ntl, .odb, .odc, .odf, .odi, .odm, .odp, .ods, .odt, .odtb .oft, .oga, .ogg, .opf, .orf, .owl, .oxt, .p12, .p7b, .p7c, .pab, .pak, .pbf, .pbp, .pbs, .pcv, .pdd, .pdf, .pef, .pem, .pfx, .php, .pkb, .pkh, .pkpass, .pl, .plc, .pli, .pm, .png, .pot, .potm, .potx, .ppd, .ppf, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prc, .prt, .psa, .psd, .psk, .pst, .ptx, .puz, .pwf, .pwi, .pwm, .pxp, .py, .qbb, .qdf, .qel, .qic, .qif, .qpx, .qtq, .qtr, .r3d, .ra, .raf, .rar, .raw, .rb, .re4, .res, .rev, .rgn, .rgss3a, .rim, .rng, .rofl, .rrt, .rsrc, .rsw, .rte, .rtf, .rts, .rtx, .rum, .run, .rv, .rw2, .rwl, .sad, .saf, .sav, .sb, .sc2save, .scm, .scn, .scx, .sdb, .sdc, .sdn, .sds, .sdt, .sen, .sfs, .sfx, .sh, .shar, .shr, .shw, .sid, .sidd, .sidn, .sie, .sis, .slm, .sln, .slt, .snp, .snx, .so, .spr, .sql, .sqx, .sr2, .srf, .srt, .srw, .ssa, .std, .stt, .stx, .sud, .sum, .svg, .svi, .svr, .swd, .swf, .syncdb, .t12, .t13, .tar, .tax, .tax2015, .tax2016, .tbz2, .tch, .tcx, .text, .tg, .thmx, .tif, .tlz, .tor, .tpu, .tpx, .trp, .tu, .tur, .txd, .txf, .txt, .uax, .udf, .umx, .unity3d, .unr, .unx, .uop, .upk, .upoi, .url, .usa, .usx, .ut2, .ut3, .utc, .utx, .uvx, .uxx, .val, .vc, .vcd, .vdf, .vdo, .ver, .vfs0, .vhd, .vmf, .vmt, .vob, .vpk, .vpp_pc, .vsi, .vtf, .w3g, .w3x, .wad, .war, .wav, .wave, .waw, .wb2, .wbk, .wdgt, .wks, .wm, .wma, .wmd, .wmdb, .wmmp, .wmo, .wmv, .wmx, .wotreplay, .wow, .wpd, .wpk, .wpl, .wps, .wsh, .wtd, .wtf, .wvx, .x3f, .xf, .xl, .xla, .xlam, .xlc, .xlk, .xll, .xlm, .xlr, .xls, .xlsb, .xlsm, .xlsx, .xltx, .xlv, .xlwx, .xml, .xpi, .xpt, .xvid, .xwd, .xxx, .yab, .yps, .z02, .z04, .zap, .zip, .zipx, .zoo, .ztmp

Source: BleepingComputer

Encrypted files will all have the same extension, which is .fantom. The ransomware claims to use the RSA-4096 and AES-256 encryption algorithms, but in fact uses an AES 128-bit algorithm. After doing its job, the virus deletes most of its files.

The Fantom ransomware possibly deletes the Shadow Volume Copies from the Windows Operating System. Read below to learn some ways in which you can try to decrypt your files.

Remove Fantom Virus and Restore .fantom Files

If your computer got infected with the Fantom ransomware virus, you should have some experience in removing malware. You should get rid of this ransomware as fast as possible before it can have the chance of spreading further and infect more PCs. You should remove the ransomware and follow the step-by-step instructions guide given below. To see ways that you can try to recover your data, see the step titled 3. Restore files encrypted by Fantom.

Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share