Threat Management

Fantom and FairWare ransomware discovered

A pair of new ransomware types has been uncovered with one going after computer owners concerned about their device's security and the second targeting Linux users.

The first is called Fantom and takes advantage of the fact that more people being aware that they have to keep their computer properly updated by disguising the malware as a Windows update. The second, dubbed FairWare demands a hefty two bitcoin payment and even then there is no guarantee the files will be released.

Fantom, was discovered by AVG researcher Jakub Kroustek who tweeted his findings out on August 24 and is based on the open-source EDA2 ransomware project, according to BleepingComputer Founder Lawrence Abrams in a blog post. However, the malicious actors behind Fantom added two twists to this otherwise conventional ransomware attack.

First, the social engineering hook is a fake Microsoft Windows update box informing the victim they must download a critical update, Kroustek told via a direct Twitter message. If the person falls for the this and clicks OK, the ransomware is downloaded and begins encrypting files. To keep the target in the dark as long as possible, a second window appears showing a progress bar supposedly showing the update being downloaded. Instead it is actually showing how much of the computer's files are being encrypted.

Once downloaded Fantom creates a 128-bit encryption key, which is then encrypted using RSA and stored on the attackers command and control server.

The poorly written ransom note does not demand a specific amount of money to release the files, but requires the victim to send an email to a Russian address where further instructions will be given.

It has not yet been explained how the victim becomes exposed to the ransomware, but Kroustek has a theory.

"The infection method of this strain is not clear at the moment, but it is spreading under the filename criticalupdate01.exe to confuse the users. The chances are that it is spreading via spam emails or RDP (Remote Desktop Protocol) like the similar strains," he said.

FairWare was first reported on Bleeping Computers forum on August 27 with readers looking for information on the new ransomware. The first few reports stated their Linux systems had been penetrated with the website folder being removed and replaced with a ransom note demanding two bitcoins be paid within two weeks or the data would be leaked.

“At this time it is unknown of the attacker actually retains the victim's files and will return them after ransom payment. Though all ransomware victims should avoid paying a ransom, if you do plan on paying, it is suggested you verify they have your files first,” Abrams wrote in a separate blog post.

It is also not officially known how FairWare is spread, although one forum member stated his computer was breached using a brute force attack.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.