Fantom targets Windows OS and its method of distribution is currently unknown. Its code is based on EDA2, an open-source ransomware project published in early 2016. Fantom masquerades as a critical Windows update, displaying a fake but convincing Windows update screen to fool victims into believing they are receiving a legitimate patch from Microsoft. Once the update screen is displayed, victims become unable to switch to any other application. Pressing Ctrl+F4 will remove the fake update screen but it will not stop the encryption process. Fantom encrypts files using AES-128 and appends the .fantom extension to the file names. In each folder, it leaves a ransom note named DECRYPT_YOUR_FILES.HTML. Once the encryption process ends, Fantom creates two batch files that delete Shadow Volume Copies and the fake Windows update executable, WindowsUpdate.exe. The ransom payment amount is currently unknown.
UPDATE 9/21/2016: A new version of Fantom uses the filenames of targeted files to determine how much ransom to charge the victim. It also uses the filename to generate a payment email address to display to the victim.
- Bleeping Computer provides more information about Fantom here.
- The NJCCIC is not currently aware of any decryption tools available for Fantom.