New Ransomware Looks, Acts Like Windows Update

Microsoft no longer lets you decide whether to install Windows system updates, and online criminals have noticed. The new Fantom ransomware takes advantage of this situation by nearly perfectly mimicking the Windows Update process, and will keep almost any user fooled until it's too late.

Credit: Bacho/Shutterstock

(Image credit: Bacho/Shutterstock)

AVG security researcher Jakob Kroustek discovered Fantom last week. He notified the Bleeping Computer blog, and the details are pretty scary.

The ransomware itself is called "CriticalUpdate01.exe," the file it extracts is called "WindowsUpdate.exe," and the screen that displays as it begins to encrypt your files looks very much like the modern blue screen that Windows 8, 8.1 and 10 users are familiar with.


(Image credit:

"Unfortunately, there is no way to currently decrypt the Fantom Ransomware," Bleeping Computer noted, adding that the ransomware was built using the open-source ransomware kit called EDA2.

MORE: What Is Ransomware and How Can I Protect Myself?

While you're waiting for Windows Update to finish and the machine to restart, Fantom is happily at work encrypting all the files it can find bearing any of about 600 different suffixes, including those commonly used for music, video, photo and office files. Encrypted files get the additional suffix ".fantom."

When the encryption process is finished, Fantom pops up a ransom note instructing the user to email a Russian email address. No specific ransom amount is mentioned, but presumably the response from the online criminals will include one. Victims have a week to pay up or the files will be erased, the note says in pretty poor English.


(Image credit:

If you're seeing that screen, you're pretty well hosed. Your only options will be to either negotiate a ransom payment (many of these crooks won't be offended if you try to haggle) or hope that any recent system backup you may have wasn't encrypted too.

To prevent infection by any kind of ransomware, don't click on any links in email messages you don't expect; configure your Windows user accounts so that your day-to-day-usage account is a "limited" one that can't install software; and install and run robust, continually updating antivirus software.

Windows 7 and 8.1 users can go into Control Panel and set Windows Update to install patches only when they want it to. That won't prevent infection, but if a random Windows Update screen pops up, you'll know it's bogus and can shut down the machine immediately. (After that, boot antivirus software from a rescue disk — here area few you can burn to a CD or put on an USB flash drive — to clean your system without starting Windows.)

Windows 10 Home users can't stop automatic system updates. Microsoft, in its infinite wisdom, has taken away that choice from you. Even Windows 10 Pro users can only postpone, not opt out of, system updates. So if that Windows Update window takes over your screen, you won't be able to tell if it's the real thing, or ransomware.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.