{
	"id": "e348fcb7-40f5-4bbd-b0d9-4679e7b8409b",
	"created_at": "2026-04-06T00:15:23.009032Z",
	"updated_at": "2026-04-10T03:20:26.457666Z",
	"deleted_at": null,
	"sha1_hash": "3a3bdb61435a0337c2ecde7688b05065ce5c51bb",
	"title": "Fantom ransomware impersonates Windows update",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 45076,
	"plain_text": "Fantom ransomware impersonates Windows update\r\nBy Tyler Moffitt\r\nPublished: 2016-08-29 · Archived: 2026-04-05 16:07:53 UTC\r\nFantom ransomware impersonates Windows update\r\nby | Aug 29, 2016 | Threat Lab\r\nReading Time: ~ 3 min.\r\nFantom_PropertiesWindows 10 has been notorious about automatically installing updates on users’ machines\r\nand now there is a ransomware that aims to capitalize on it. The new ransomware, Fantom, is based on the EDA2\r\nopen-source ransomware project on GitHub called hidden tear that’s recently been abandoned.\r\nFantom behind the scenes\r\nIn an attempt to conceal malicious intention, the authors of this ransomware modified the file properties to show\r\ncopyright and legal trademarks mimicking a Windows update.\r\nOnce this dropper is executed, the payload “WindowsUpdate.exe” is dropped in AppData\\Local\\Temp displaying\r\nthe fake Windows Update screen as shown below. This screen locks you out of doing anything else on your\r\ncomputer, keeping in line with the scam that Windows 10 doing its normal interrupt of updates.\r\nThe percentage counter does work and will go up at about a percent per minute. However, it’s fake and doesn’t\r\nrepresent anything other than to communicate to you that this “Windows update” will take a while and that you\r\nshouldn’t be alarmed of CPU usage and hard drive activity. You can close this fake update overlay by ending the\r\nprocess “WindowsUpdate.exe” using task manager, but the encryption of your files is unaffected.\r\nFantom_DECRYPT_YOUR_FILES.HTMLDECRYPT_YOUR_FILES.HTML\r\nransom note\r\nEncryption is done using AES-128 encryption and when a file is encrypted it will append “.fantom” to the\r\nextension of the file. Also in every directory that a file is encrypted, a standard ransom note\r\n“DECRYPT_YOUR_FILES.HTML” is created.\r\nThe ransom note doesn’t have an onion link as your payment portal for your files – a standard for most encrypting\r\nransomware. Instead, you’re asked to email the cyber criminals and await response. This tactic is meant to target\r\nless savvy computer users who would be intimidated by creating a bitcoin wallet address and using a tor browser\r\nto connect to the darknet for ransom payment. To increase odds of gaining trust, two “freebie” files for decryption\r\nare allowed.\r\nhttps://www.webroot.com/blog/2016/08/29/fantom-ransomware-windows-update/\r\nPage 1 of 2\n\nHowever, it’s clear that these cyber criminals have a very loose grip on the English language so we don’t\r\nanticipate much traction with their scams through email. We also reached out as a test and have yet to hear back in\r\nover 24 hours.\r\nFantom_Attention\r\nEmploy a backup solution\r\nWebroot will catch this specific variant in real time before any encryption takes place. We’re always on the\r\nlookout for new threats, but just in case of new zero-day variants, remember that with encrypting ransomware, the\r\nbest protection is going to be a good backup solution. This can be either through the cloud or offline external\r\nstorage. Keeping it up to date is key so as not to lose productivity. Webroot has backup features built into our\r\nconsumer product that allow you to have directories constantly synced to the cloud. If you were to get infected by\r\na zero-day variant of encrypting ransomware, you can just restore your files back as we save a snapshot history for\r\neach of your files up to ten previous copies. Please see our community post on best practices for securing your\r\nenvironment against encrypting ransomware.\r\nMD5 Analyzed: 7D80230DF68CCBA871815D68F016C282\r\nAdditional MD5 seen: 4AC83757EBF7ACD787F732AA398E6D53\r\n65E9E1566DEC1586358BEC5DE9905065\r\n60DBBC069931FB82C7F8818E08C85164\r\n86313D2C01DC48D617D52BC2C388957F\r\nTyler Moffitt\r\nAbout the Author\r\nTyler Moffitt\r\nSr. Security Analyst\r\nTyler Moffitt is a Sr. Security Analyst who stays deeply immersed within the world of malware and antimalware.\r\nHe is focused on improving the customer experience through his work directly with malware samples, creating\r\nantimalware intelligence, writing blogs, and testing in-house tools.\r\nSource: https://www.webroot.com/blog/2016/08/29/fantom-ransomware-windows-update/\r\nhttps://www.webroot.com/blog/2016/08/29/fantom-ransomware-windows-update/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.webroot.com/blog/2016/08/29/fantom-ransomware-windows-update/"
	],
	"report_names": [
		"fantom-ransomware-windows-update"
	],
	"threat_actors": [],
	"ts_created_at": 1775434523,
	"ts_updated_at": 1775791226,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3a3bdb61435a0337c2ecde7688b05065ce5c51bb.pdf",
		"text": "https://archive.orkl.eu/3a3bdb61435a0337c2ecde7688b05065ce5c51bb.txt",
		"img": "https://archive.orkl.eu/3a3bdb61435a0337c2ecde7688b05065ce5c51bb.jpg"
	}
}