Untouched ‘Big Head’ ransomware presentations faux Home windows replace alert

Safety researchers have dissected a just lately emerged ransomware pressure named ‘Big Head’ that can be spreading via malvertising that promotes faux Home windows updates and Microsoft Word of honour installers.

Two samples of the malware had been analyzed prior to by means of cybersecurity corporate Fortinet, who appeared on the condition vector and the way the malware executes.

Nowadays, Pattern Micro printed a technical file on Heavy Head that claiming that each variants and a 3rd they sampled originate from a unmarried operator who’s most probably experimenting with other approaches to optimize their assaults.

Faking a Home windows replace

‘Big Head’ ransomware is a .NET binary that installs 3 AES-encrypted recordsdata at the goal gadget: one is worn to propagate the malware, every other is for Telegram bot communique, and the 3rd encrypts recordsdata and too can display the person a faux Home windows replace.

Big Head's infection routine
Heavy Head’s condition regimen (Pattern Micro)

On execution, the ransomware additionally plays movements similar to making a registry autorun key, overwriting current recordsdata if wanted, environment gadget report attributes, and disabling the Activity Supervisor.

Modifying the victim's registry
Developing the Registry Autorun (Pattern Micro)

Every sufferer is assigned a singular ID that’s both retrieved from the %appdata%ID listing or it’s generated the use of a random 40-character anecdote.

The ransomware deletes shade copies to cancel simple gadget recovery prior to encrypting the focused recordsdata and appending a “.poop” extension to their filenames.

Filetypes targeted by Big Head
Document varieties focused by means of Heavy Head (Pattern Micro)

Additionally, Heavy Head will finish please see processes to cancel tampering with the encryption procedure and to detached up knowledge that the malware will have to lock.

Processes terminated before encryption
Processes terminated prior to encryption (Pattern Micro)

The Home windows, Recycle Bin, Program Information, Temp, Program Information, Microsoft, and App Information directories are skipped from encryption to steer clear of rendering the gadget unusable.

Pattern Micro has discovered that the ransomware assessments if it runs on a digital field, appears for the gadget language, and simplest proceeds to the encryption if it’s no longer all set on that of a rustic member of the Commonwealth of Detached States (former Soviet states).

System languages valid for encryption
Device languages legitimate for encryption (Pattern Micro)

All through the encryption, the ransomware presentations a display that purports to be a sound Home windows replace.

Fake Windows update presented to the victim
Faux Home windows replace covering the report encryption (Pattern Micro)

Nearest the encryption procedure completes, please see ransom is dropped on a couple of directories, and the sufferer’s wallpaper may be modified to alert of the condition.

Wallpaper and ransom note
Wallpaper and ransom be aware (Pattern Micro)

Alternative variants

Pattern Micro additionally analyzed two extra Heavy Head variants, highlighting some key variations in comparison to the usual model of the ransomware.

The second one variant maintains ransomware functions but additionally accommodates stealer habits with purposes to bind and exfiltrate delicate knowledge from the sufferer gadget.

The information that this model of Heavy Head can scouse borrow come with surfing historical past, listing of directories, put in drivers, operating processes, product key, and lively networks, and it may well additionally seize screenshots.

Second variant infection routine
2d variant condition regimen (Pattern Micro)

The 3rd variant, found out by means of Pattern Micro, includes a report infector known as “Neshta,” which fits sinful code into executables at the breached gadget.

Despite the fact that the precise function of that is hazy, Pattern Micro’s analysts speculate that it may well be to evade detection that is predicated on signature-based mechanisms.

Significantly, this variant makes use of a distinct ransom be aware and wallpaper from the alternative two, but it’s nonetheless fasten to the similar ultimatum actor.

Third variant infection routine
3rd variant condition regimen (Pattern Micro)


Pattern Micro feedback that Heavy Head isn’t an advanced ransomware pressure, its encryption forms are nice-looking usual, and its evasion ways are simple to discover.

However, apparently to concentrate on shoppers who can also be fooled with simple methods (e.g. faux Home windows replace) or they have got problem figuring out the safeguards important to persuade clear of cybersecurity dangers.

The a couple of variants in flow recommend that the creators of Heavy Head are often growing and refining the malware, experimenting with numerous approaches to peer what works highest.

Replace 7/10/23 – Cyber-intelligence company KELA shared spare knowledge with BleepingComputer, indicating that Heavy Head’s primary writer is most probably of Indonesian foundation.

KELA’s analysts have found out a person on Telegram the use of the similar names and avatars as the ones present in Heavy Head’s ransom be aware, claiming to be a “ransomware expert” on posts printed on “IndoGhostsec.”

Big head
Heavy Head’s writer on Telegram (KELA)

The person switched the gang’s title from ‘BIG HEAD HACKER!’ to ‘BLACKHAT HACKER INDONESIA’ in June 2022, month in March 2023, he began in quest of the backup of alternative individuals in his attempt to build a ransomware builder and alternative related gear.

Warning actor’s publish on Telegram (KELA)


Leave a Comment