Major Ransomware release 7/17/23 (Big Head)

  • July 17, 2023
150 150 Cross Computers

Please be very careful, as always. Windows updates are completed automatically for most of our customers. The updates are completed outside regular business hours and are transparent to most users. If you receive “Windows Updates” notices, please do not click on them. If your company handles security updates internally, you need to complete all updates immediately.

Affected platforms: Microsoft Windows
Impacted parties: Microsoft Windows Users
Impact: Encrypts files on the compromised machine and demands ransom for file decryption
Severity level: High
=========================================

Big Head Ransomware

Overview

FortiGuard Labs recently came across a new ransomware variant called Big Head, which came out in May 2023. Although there are at least three variants of Big Head ransomware, all are designed to encrypt files on victims’ machines to extort money, like other ransomware variants.

Infection Vector

One Big Head ransomware variant displays a fake Windows Update, potentially indicating that the ransomware was also distributed as a fake Windows Update. One of the variants has a Microsoft Word icon and was likely distributed as counterfeit software.

At the time of this research, there is no indication that Big Head is widespread.

Ransomware Execution

FortiGuard Labs is aware of at least two variants of Big Head ransomware, which we have named variants A and B.

Variant A

Once Big Head ransomware variant A is executed, it displays a fake Windows Update screen to trick users into believing that legitimate actions are occurring behind the scenes.

Screenshot of Figure 1. Fake Windows Update screen shown by the Big Head ransomware variant A
Figure 1. Fake Windows Update screen shown by the Big Head ransomware variant A

The fake Windows Update lasts about 30 seconds and automatically closes. By the time the phony update is done, the ransomware has already encrypted files on compromised machines with file names randomly altered.

Screenshot of Figure 2. Files encrypted by the Big Head ransomware variant A and its ransom note
Figure 2. Files encrypted by the Big Head ransomware variant A and its ransom note

The ransomware then opens a ransom note labeled “README_[random seven digits number] that demands victims contact the attacker via email or telegram for file decryption and data leak.

Screenshot of Figure 3. Ransom note left by the Big Head ransomware variant A
Figure 3. The ransom note left by the Big Head ransomware variant A

Big Head ransomware variant A has also been seen to leave a slightly different version of the ransom note, including the attacker’s Bitcoin address for “immediate ransom payment.”

Screenshot of Figure 4. Alternative ransom note left by the Big Head ransomware variant A
Figure 4. The alternative ransom note left by the Big Head ransomware variant A

Variant B

While the Big Head ransomware variant B did not encrypt any files in our test environment, it is designed to encrypt files on compromised machines. Our analysis found that variant B uses a PowerShell file named “cry.ps1” for file encryption. The variant B does not drop cry.ps1 in some cases, and file encryption does not occur. However, it does not stop variant B from replacing the Desktop wallpaper with its own containing ransom note. Like variant A, the ransom note requests that victims contact the attacker using the same email address or telegram channel. The difference is that a  ransom fee of one Bitcoin is included in the variant B ransom note. The relatively low ransom fee indicates that Big Head ransomware is used to target consumers rather than enterprises.

Screenshot of Figure 5. Desktop wallpaper replaced by the Big Head ransomware variant B
Figure 5. Desktop wallpaper replaced by the Big Head ransomware variant B

Variant B separately drops a ransom note labeled “Read Me First!/txt” with the same ransom message as the wallpaper.

Screenshot of Figure 6. Ransom note left by the Big Head ransomware variant B
Figure 6. The ransom note left by the Big Head ransomware variant B

Variant B also tries to open the attacker’s Github page on a default Web browser; however, the page is unavailable because it has been removed or shut down.

The attacker’s Bitcoin wallet recorded two transactions: one in December 2022 for $313.93, the other in August of the same year for $70.07. Since the Big Head ransomware came out in May 2023, those transactions do not appear to be related to the ransomware variant.

Ransomware of the Same Stripe

FortiGuard Labs found another ransomware variant that, based on the Bitcoin wallet and email address, was likely used by the same attacker. This ransomware was also submitted to a publicly available file scanning service in May 2023, the same month the Big Head ransomware variants were made available. This ransomware variant encrypts files and appends the attacker’s contact email address, “poop69new@[redacted],” to the file names. It also replaces the desktop wallpaper with its own that includes the following ransom note.

Screenshot of Figure 7. Wallpaper replaced by another ransomware used by the same attacker
Figure 7. Wallpaper was replaced by another ransomware used by the same attacker

It also leaves an alternative ransom note labeled “read_it.txt”.

Screenshot of Figure 8. Ransom note left behind by another ransomware used by the same attackerFigure 8. Ransom note left behind by another ransomware used by the same attacker

Victimology

Most of the Big Head ransomware samples were submitted from the United States. Another ransomware used by the same attacker was submitted from the United States, Spain, France, and Turkey.