Please be very careful, as always. Windows updates are completed automatically for most of our customers. The updates are completed outside regular business hours and are transparent to most users. If you receive “Windows Updates” notices, please do not click on them. If your company handles security updates internally, you need to complete all updates immediately.
Impacted parties: Microsoft Windows Users
Impact: Encrypts files on the compromised machine and demands ransom for file decryption
Severity level: High
Big Head Ransomware
Overview
FortiGuard Labs recently came across a new ransomware variant called Big Head, which came out in May 2023. Although there are at least three variants of Big Head ransomware, all are designed to encrypt files on victims’ machines to extort money, like other ransomware variants.
Infection Vector
One Big Head ransomware variant displays a fake Windows Update, potentially indicating that the ransomware was also distributed as a fake Windows Update. One of the variants has a Microsoft Word icon and was likely distributed as counterfeit software.
At the time of this research, there is no indication that Big Head is widespread.
Ransomware Execution
FortiGuard Labs is aware of at least two variants of Big Head ransomware, which we have named variants A and B.
Variant A
Once Big Head ransomware variant A is executed, it displays a fake Windows Update screen to trick users into believing that legitimate actions are occurring behind the scenes.
The fake Windows Update lasts about 30 seconds and automatically closes. By the time the phony update is done, the ransomware has already encrypted files on compromised machines with file names randomly altered.
The ransomware then opens a ransom note labeled “README_[random seven digits number] that demands victims contact the attacker via email or telegram for file decryption and data leak.
Big Head ransomware variant A has also been seen to leave a slightly different version of the ransom note, including the attacker’s Bitcoin address for “immediate ransom payment.”
Variant B
While the Big Head ransomware variant B did not encrypt any files in our test environment, it is designed to encrypt files on compromised machines. Our analysis found that variant B uses a PowerShell file named “cry.ps1” for file encryption. The variant B does not drop cry.ps1 in some cases, and file encryption does not occur. However, it does not stop variant B from replacing the Desktop wallpaper with its own containing ransom note. Like variant A, the ransom note requests that victims contact the attacker using the same email address or telegram channel. The difference is that a ransom fee of one Bitcoin is included in the variant B ransom note. The relatively low ransom fee indicates that Big Head ransomware is used to target consumers rather than enterprises.
Variant B separately drops a ransom note labeled “Read Me First!/txt” with the same ransom message as the wallpaper.
Variant B also tries to open the attacker’s Github page on a default Web browser; however, the page is unavailable because it has been removed or shut down.
The attacker’s Bitcoin wallet recorded two transactions: one in December 2022 for $313.93, the other in August of the same year for $70.07. Since the Big Head ransomware came out in May 2023, those transactions do not appear to be related to the ransomware variant.
Ransomware of the Same Stripe
FortiGuard Labs found another ransomware variant that, based on the Bitcoin wallet and email address, was likely used by the same attacker. This ransomware was also submitted to a publicly available file scanning service in May 2023, the same month the Big Head ransomware variants were made available. This ransomware variant encrypts files and appends the attacker’s contact email address, “poop69new@[redacted],” to the file names. It also replaces the desktop wallpaper with its own that includes the following ransom note.
It also leaves an alternative ransom note labeled “read_it.txt”.
Figure 8. Ransom note left behind by another ransomware used by the same attackerVictimology
Most of the Big Head ransomware samples were submitted from the United States. Another ransomware used by the same attacker was submitted from the United States, Spain, France, and Turkey.