Last month, security experts from FortiGuard Labs, the research division of Fortinet, uncovered an emerging ransomware variant disguising itself as crucial Windows updates. This malicious software, aptly named “Big Head,” displays a counterfeit Windows Update screen, encrypting files surreptitiously in the background as the unsuspecting user waits for their computer to complete the supposed Windows update. The first variant of this ransomware, dubbed Variant A, deploys a deceptive process that lasts about 30 seconds. Another variant, Variant B, uses a PowerShell file named “cry.ps1” for file encryption on compromised systems.
Fortinet’s Protection Against Big Head
Fortinet stated its ability to detect and shield against Big Head variants with the help of the following antivirus signatures:
- MSIL/Fantom.R!tr.ransom
- MSIL/Agent.FOV!tr
- MSIL/Kryptik.AGXL!tr
- MSIL/ClipBanker.MZ!tr.ransom
Trend Micro’s Findings
Trend Micro, another cybersecurity firm, published its research on Big Head, shedding light on more complex aspects of this ransomware. The firm discovered that the malware checks for virtual environments, such as Virtual Box or VMware, deletes Volume Shadow Copy Service (VSS) backups, and adjusts its actions for better success or evasion if the system is in a virtual environment. Trend Micro also studied more samples and their characteristics:
- The first sample incorporates a backdoor in its infection chain.
- The second sample employs a trojan spy and/or info stealer.
- The third sample utilizes a file infector.
Big Head’s Distribution Method
A malvertising campaign that uses fake Microsoft Windows updates and Word installers has been identified as the primary distribution method of Big Head. Apart from this, the ransomware also uses a counterfeit software distribution method, with most samples so far reported from the U.S., Spain, France, and Turkey.
Technical Insights of Big Head
This. NET-based ransomware has the ability to deploy three encrypted binaries for its propagation and function. The malware displays a fake Windows Update UI, with progress percentage increments every 100 seconds, to deceive victims into believing it’s a legitimate software update process. Big Head operates in a manner similar to other ransomware families. It deletes backups, terminates processes, and conducts checks to ascertain if it’s running within a virtualized environment before proceeding with file encryption. The malware also disables the Task Manager and self-terminates if the machine’s language is that of certain countries, including Russia, Belarus, Ukraine, and others.
Variants and Techniques
Trend Micro identified another Big Head artifact with both ransomware and stealer behaviors, the latter utilizing the open-source WorldWind Stealer to gather web browser history, directory lists, running processes, product keys, and networks.
Furthermore, a third variant incorporates a file infector called Neshta, which serves as a camouflage for the final Big Head ransomware payload. According to Trend Micro researchers, “Incorporating Neshta into the ransomware deployment can also serve as a camouflage technique for the final Big Head ransomware payload.”
The identity of the threat actor behind Big Head remains unknown, though hints suggest possible Indonesian origins. Given the diverse functionality of this malware, security teams should stay prepared for potential significant damage. The multifaceted nature of Big Head makes it challenging to defend systems, as each attack vector requires separate attention.
For further details on ransomware and prevention strategies, visit the U.S. Cybersecurity & Infrastructure Security Agency website.
