A newly-discovered ransomware family named Big Head is tricking unsuspecting users by displaying fake Windows update alerts and Microsoft Word installers. Cybersecurity firms Fortinet and TrendMicro have identified several variants of this ransomware, all originating from a single operator.
Fortinet documented two variants of Big Head in mid-June. Both of them are designed to encrypt files on victims’ devices to extort money. The firm says the ransomware debuted in May 2023, with the attacker seemingly distributing it as counterfeit software. The first variant shows a fake Windows update alert that lasts about 30 seconds and automatically closes. That’s enough for the attacker to encrypt the files.
It then proceeds to open a ransom note containing the attacker’s email address, Telegram ID, and Bitcoin wallet address. The second variant, meanwhile, uses a PowerShell file named “cry.ps1” for file encryption. When files are encrypted, the attacker replaces the device’s wallpaper with their own containing a similar ransom note. It also opens a separate ransom note with the same details.
The research firm also discovered a third ransomware variant of the same stripe as Big Head. Based on the Bitcoin wallet and email addresses, it’s distributed by the same attacker. Fortinet discovered that it popped out around the same time as Big Head but used a slightly different ransom note. This variant encrypts files and appends the attacker’s email address to the file names. It also replaces the desktop wallpaper.
The Big Head ransomware seemingly originated in Indonesia
TrendMicro recently published a technical report on Big Head, explaining its execution methodology, similarities and differences between its variants, and “the potential impact of these infections when abused for attacks.” The firm analyzed three samples of the ransomware and could link a YouTube account to the attacker. The account is named “aplikasi premium cuma cuma,” which is in Bahasa (Indonesian language) and translates to “premium application for free.”
Cyber-intelligence firm KELA separately told BleepingComputer that Big Head’s main author is likely of Indonesian origin. It discovered a user on Telegram with the same names and avatars as those found in the aforementioned ransom notes. The ransomware itself doesn’t appear to be widespread or highly sophisticated. It uses standard encryption methods and is fairly easy to detect, thanks to poor evasion techniques.
However, attackers usually pounce on unsuspecting victims that are easy to trick. The brains behind Big Head are still operating the ransomware, continuously developing and refining it. They are experimenting with various approaches for the attack. Always make sure that you download software from trusted sources such as the official Microsoft Store. Avoid clicking on suspicious files or links received in emails from unknown addresses.
2023-07-11 15:04:42