Home / malwarePDF  

Ransom:MSIL/Fantomcrypt.A


First posted on 01 September 2016.
Source: Microsoft

Aliases :

There are no other names known for Ransom:MSIL/Fantomcrypt.A.

Explanation :

Installation

This threat has been observed to arrive as an obfuscated .NET executable file. We have seen it use the following file names:

  • critical_updates.exe
  • dissdkchk.exe
  • servicec.exe


This threat may appear as a critical Windows update to lure potential victims to apply the fake update, thus trigerring the document encryption process that runs in the background.

Malicious hackers add fictitious details such as file properties, file names, and a Microsoft copyright to make the "critical update" file name appear legitimate. Unsuspecting victims can then be lead to download the update.

Payload

Encrypts files



This threat searches for files in your folders and can target files with the following extensions to encrypt:

.asm .cs .html .pdf .swf .asp .css .jpg .pif .thm .aspx .dat .js .png .txt .avi .db .key .pot .wav .bak .doc .log .ppt .wb2 .bay .dot .lua .prf .wma .bin .dtd .mdb .py .wmv .bmp .edb .mid .rat .xls .c .eps .msg .rtf .xlt .cfg .gif .odc .sav .xml .config .h .pas .sdf .zip .cpp .hpp .pdb .sql It drops a ransom note (DECRYPT_YOUR_FILES.HTML) in each folder after encrypting files. See the following screenshot: Modifies your PC settings without your permission
This ransomware also disables your Microsoft Windows Task Manager and locks you the out while your files are being encrypted, and displays the following message:

This malware description was published from analyzing the following SHA1 files:
  • 0b6dd724203dc66bfed1cb9ab372e249fb3740c2
  • e10874c6108a26ceedfc84f50881824462b5b6b6
  • 8c6fd4e90a529016c7795654ec36714fb06dfd32

Last update 01 September 2016

 

TOP