HQ/EMEAFind out how we can help your business
The newly discovered ransomware strain, Big Head, has been spreading recently via a malvertising campaign that promotes fake Windows updates and MS Word installers.
Researchers analysed a couple of malware samples of the new ransomware. The analysis studied how the actors executed the malware and what vector they used during the attack.
The Big Head ransomware operators allegedly ran a trial run for their infection attacks.
According to investigations, both variants of Big Head ransomware came from a single threat actor that allegedly experimented with several attack methods to optimise its campaigns.
The analysis also showed that Big Head is a dot net binary that could install three AES-encrypted archives on a targeted system. The three AES-encrypted files could propagate the malware, communicate with a Telegram bot, and encrypt files that could show a target a fake Windows update.
The ransomware attack could also perform several malicious actions, such as generating an autorun key, overwriting existing files, setting file attributes, and deactivating Task Manager upon installation.
Based on reports, the attack could assign each victim a unique ID that they could retrieve from the AppData directory or generate from a random 40-character string.
Next, the ransomware campaign removes shadow copies to prevent system restoration before encrypting the files and appending a [.]poop extension to the filenames. In addition, the ransomware will kill some processes to avoid tampering with the encryption method while freeing up data that the malware should lock.
Furthermore, the attack will skip Windows, Program files, Microsoft, Program Data, Temp, Recycle Bin, and App Data directories from the encryption process to avoid system shutdown.
The researchers also discovered that the ransomware checks if it runs on a virtual box, scans for the system language, and only executes the encryption process if it’s not set on a county affiliated with the Commonwealth of Independent States.
The ransomware then displays a screen that claims to be a legitimate Windows update. The attack will drop a ransom on multiple directories after the completion of the encryption process. Finally, the attackers will change their victims’ wallpapers to notify them of their successful infection.
