Emerging “Big Head” Ransomware Impersonates Windows Updates and Word Installers

Last month, security experts from FortiGuard Labs, the research division of Fortinet, uncovered an emerging ransomware variant disguising itself as crucial Windows updates. This malicious software, aptly named “Big Head,” displays a counterfeit Windows Update screen, encrypting files surreptitiously in the background as the unsuspecting user waits for their computer to complete the supposed Windows update. The first variant of this ransomware, dubbed Variant A, deploys a deceptive process that lasts about 30 seconds. Another variant, Variant B, uses a PowerShell file named “cry.ps1” for file encryption on compromised systems.

Fortinet’s Protection Against Big Head

Fortinet stated its ability to detect and shield against Big Head variants with the help of the following antivirus signatures:

  • MSIL/Fantom.R!tr.ransom
  • MSIL/Agent.FOV!tr
  • MSIL/Kryptik.AGXL!tr
  • MSIL/ClipBanker.MZ!tr.ransom

Trend Micro’s Findings

Trend Micro, another cybersecurity firm, published its research on Big Head, shedding light on more complex aspects of this ransomware. The firm discovered that the malware checks for virtual environments, such as Virtual Box or VMware, deletes Volume Shadow Copy Service (VSS) backups, and adjusts its actions for better success or evasion if the system is in a virtual environment. Trend Micro also studied more samples and their characteristics:

  • The first sample incorporates a backdoor in its infection chain.
  • The second sample employs a trojan spy and/or info stealer.
  • The third sample utilizes a file infector.

Big Head’s Distribution Method

A malvertising campaign that uses fake Microsoft Windows updates and Word installers has been identified as the primary distribution method of Big Head. Apart from this, the ransomware also uses a counterfeit software distribution method, with most samples so far reported from the U.S., Spain, France, and Turkey.

Technical Insights of Big Head

This. NET-based ransomware has the ability to deploy three encrypted binaries for its propagation and function. The malware displays a fake Windows Update UI, with progress percentage increments every 100 seconds, to deceive victims into believing it’s a legitimate software update process. Big Head operates in a manner similar to other ransomware families. It deletes backups, terminates processes, and conducts checks to ascertain if it’s running within a virtualized environment before proceeding with file encryption. The malware also disables the Task Manager and self-terminates if the machine’s language is that of certain countries, including Russia, Belarus, Ukraine, and others.

Variants and Techniques

Trend Micro identified another Big Head artifact with both ransomware and stealer behaviors, the latter utilizing the open-source WorldWind Stealer to gather web browser history, directory lists, running processes, product keys, and networks.

Furthermore, a third variant incorporates a file infector called Neshta, which serves as a camouflage for the final Big Head ransomware payload. According to Trend Micro researchers, “Incorporating Neshta into the ransomware deployment can also serve as a camouflage technique for the final Big Head ransomware payload.”

The identity of the threat actor behind Big Head remains unknown, though hints suggest possible Indonesian origins. Given the diverse functionality of this malware, security teams should stay prepared for potential significant damage. The multifaceted nature of Big Head makes it challenging to defend systems, as each attack vector requires separate attention.

For further details on ransomware and prevention strategies, visit the U.S. Cybersecurity & Infrastructure Security Agency website.

Ryan is a car enthusiast and an accomplished team builder passionate about crafting captivating narratives. Known for his ability to transport readers to other worlds, his writing has garnered attention and a dedicated following. With a keen eye for detail and a gift for storytelling, Ryan continues to weave literary magic in every word he writes.