Table of Contents
Big Head ransomware is a relatively new and concerning player in the cybercrime landscape. Emerging around May 2023, it distinguishes itself through deceptive tactics, primarily targeting consumers rather than large enterprises. While not yet as widespread as some major ransomware families, its multiple variants, evolving capabilities (including data stealing and file infection), and global reach indicate a growing threat that requires proactive attention from both individuals and security professionals. Big Head's core strategy revolves around masquerading as legitimate software updates, particularly fake Windows Updates and counterfeit Microsoft Word installers, to trick unsuspecting users into executing the malicious code.
Origins & Evolution
Big Head ransomware first appeared in May 2023. While its origins are not definitively confirmed, some clues point to potential, though unverified, connections. A YouTube channel used to promote the ransomware, named "aplikasi premium cuma cuma" (which translates to "premium application for free" in Bahasa), suggests a possible link to countries where Bahasa is spoken, such as Indonesia or Malaysia. However, this is purely speculative and should not be considered conclusive evidence.
Analysis by KELA strongly suggests the primary author of Big Head is likely of Indonesian origin. A Telegram user with names and avatars matching those used in Big Head ransom notes claimed to be a "ransomware expert" on a forum called "IndoGhostsec." This user was actively seeking assistance in creating a ransomware builder, further supporting the theory of an Indonesian connection.
Several researchers, including Trend Micro and Fortinet, have identified multiple variants of Big Head, indicating ongoing development and experimentation by the attacker(s). This rapid evolution is a hallmark of many ransomware families, as developers seek to improve their malware's effectiveness, evasion capabilities, and profitability. One of the methods they use is Base64 encoding.
Variant 1: This variant is characterized by its use of a fake Windows update screen, Base64 encoding of filenames, and the generation of a unique Victim ID included in the ransom note.
Variant 2: This variant sometimes fails to encrypt files in testing scenarios. It drops a ransom note without a victim ID and changes the desktop background. Crucially, it has been observed to include data stealer capabilities, exfiltrating information like browsing history, directory listings, installed drivers, and system information.
Variant 3: This variant incorporates a file infector component known as "Neshta." File infectors inject malicious code into legitimate executable files, potentially aiding in evasion of signature-based detection. This variant also uses a different ransom note and wallpaper compared to the previous versions.
The existence of these variants, and the relatively short timeframe in which they have appeared, suggests that the Big Head developers are actively refining their techniques. While some researchers assess Big Head as not being highly sophisticated in its encryption or evasion, this constant evolution presents a persistent and evolving threat. Learn more about essential strategies for managing information security operations.
It is also possible, although not confirmed, that Big Head is a variant of the Ryzerlo ransomware. Many of the samples are classified as "Ransom:MSIL/Ryzerlo.A"
Tactics & Techniques
Big Head ransomware employs a range of tactics, techniques, and procedures (TTPs) that are common in the ransomware landscape, but with some specific nuances that are worth noting:
Initial Access: Big Head relies heavily on social engineering and deception to gain initial access. The primary vectors are:
* Fake Windows Updates: The ransomware disguises itself as a legitimate Windows update, complete with a forged digital signature to appear more credible. This is a particularly effective tactic against consumers who may not be as technically savvy or vigilant as enterprise users. Read more on understanding the different types of Windows updates.
* Counterfeit Software Installers: The ransomware has also been observed using a Microsoft Word icon, suggesting distribution through fake or pirated software downloads. This preys on users seeking free or cracked versions of popular applications.
* Malvertising, Phishing and Spoofed Websites: These are also considered likely distribution methods, though less directly confirmed than the fake updates.
Execution & Persistence:
* The core ransomware is a .NET executable.
* It creates a registry autorun key to ensure persistence – meaning it automatically runs when the system starts. More on Windows registry structure.
* It overwrites existing files and sets system file attributes.
* It disables Task Manager to prevent the user from easily terminating the ransomware process.
Evasion:
* Big Head displays a fake Windows Update screen during the encryption process to mislead the user and buy time.
* It checks for the presence of a virtual machine environment, a common tactic to avoid analysis by security researchers.
* It checks the system language and avoids encrypting systems set to languages of the Commonwealth of Independent States (CIS) – former Soviet states. This is a common tactic among some ransomware groups, potentially to avoid prosecution in those countries.
* It deletes shadow copies, a Windows feature that allows users to restore previous versions of files, thus hindering recovery efforts.
* It terminates specific processes that might interfere with encryption or hold locks on files, including SQL, Word, Oracle, and other database and productivity applications.
* Variant 3, with the Neshta file infector, adds another layer of evasion by injecting malicious code into legitimate executables.
Encryption:
* Big Head uses AES encryption to encrypt files. More on symmetric and asymmetric encryption.
* It appends the ".poop" extension to encrypted files (a somewhat unusual and unprofessional choice).
* It skips encrypting essential system directories (Windows, Program Files, etc.) to avoid completely bricking the system, likely to increase the chances of the victim being able to pay the ransom.
Ransom Note & Communication:
* It drops ransom notes in multiple directories. The specific filename and content vary slightly between variants.
* It changes the desktop wallpaper to a warning message and ransom demand.
* It assigns a unique ID to each victim, either retrieved from a directory or generated randomly.
* Victims are typically instructed to contact the attacker via email or Telegram. Earlier versions used Telegram accounts like t[.]me/temon_69 and github[.]com/temon_69, while later versions use t[.]me/dme69. There's a suggestion that "temon_69" was previously "poop69."
Data Stealing (Variant 2): Variant 2 significantly expands Big Head's capabilities by adding data exfiltration. It steals:
* Browsing history
* Directory listings
* Installed drivers
* Running processes
* Product key
* Active networks
* Screenshots
Tools Used:
Based on different analysis and observations, Big Head, or the group DEV-0970/Storm-0970 behind it, have been seen making use of tools like:
Mimikatz: Password dumping.
PsExec: Remote process execution.
Cobalt Strike: Threat emulation software, payload deployment.
Empire PowerShell: Post-exploitation framework.
Targets or Victimology
Big Head ransomware primarily targets consumers, rather than large enterprises. This is evidenced by several factors:
Low Ransom Demand: The ransom demand in one variant was 1 Bitcoin, a relatively low amount compared to the demands made by ransomware groups targeting large corporations. This suggests a focus on volume over high-value targets.
Deceptive Tactics: The use of fake Windows updates and counterfeit software installers is more likely to be successful against individual users who may lack the security awareness and technical expertise of enterprise IT staff.
Global Reach: While most reported samples have been submitted from the United States, submissions have also come from Spain, France, Turkey, and other countries. This indicates a broad, opportunistic targeting strategy rather than a focus on specific industries or geographic regions.
While primarily targeting consumers, the increasing use of personal devices for work, especially in remote work environments, creates a potential bridge to organizations. A compromised personal device used to access corporate networks could provide an entry point for the ransomware to spread to more valuable targets. Learn more about IOT security solution.
Attack Campaigns
While Big Head is relatively new and not yet associated with widespread, high-profile attacks, its rapid development and global distribution warrant attention. Some key points regarding its activity:
Emergence in May 2023: The first samples appeared around this time, indicating a relatively recent entry into the ransomware scene.
Multiple Variants: The rapid development of at least three distinct variants suggests ongoing experimentation and a commitment to improving the malware.
Global Submissions: Samples have been submitted from various countries, indicating a broad, opportunistic targeting approach.
Bitcoin Wallet Activity: Analysis of the Bitcoin wallet associated with the ransom note revealed only a few transactions from 2022, before Big Head's emergence. This suggests the wallet may be used for other illicit activities or that the ransomware has not been highly successful in generating ransom payments (yet).
Attribution to DEV-0970/Storm-0970: The group is believed to be the single operator behind the ransomware variants
The lack of major, publicly reported campaigns does not diminish the threat. Big Head's evolving capabilities, deceptive tactics, and global reach make it a potential threat that should be monitored closely. Understanding the indicator of compromise is crucial to identify these attacks.
Defenses
Protecting against Big Head ransomware, and ransomware in general, requires a multi-layered approach that combines technical safeguards with user education and awareness:
Software Updates (Genuine Ones!): Keep your operating system, applications, and antivirus software up-to-date. Crucially, always obtain updates from official sources (e.g., directly from Microsoft for Windows updates). Do not trust unsolicited pop-ups or emails claiming to be updates.
Be Wary of Downloads: Only download software from trusted and reputable sources. Avoid cracked or pirated software, as these are common vectors for malware distribution.
Email Security: Be cautious of suspicious emails, especially those with attachments or links. Implement strong email filtering and security measures to block phishing attempts. More on what is SPF and DMARC .
Strong Antivirus/Anti-Malware: Use a reputable antivirus and anti-malware solution and keep it updated. Configure it to perform regular scans.
Data Backup: Regularly back up your important data to an external hard drive or cloud storage. This is critical for recovery in case of a ransomware attack. Ensure backups are offline or air-gapped to protect them from being encrypted by the ransomware.
Security Awareness Training: Educate yourself and your users (if applicable) about ransomware and other cyber threats. Learn to recognize phishing attempts, suspicious websites, and unsafe download practices. Learn ethical hacking for free.
Network Segmentation: If applicable (in an organizational setting), segment your network to limit the spread of ransomware if one system is compromised.
Least Privilege Access: Restrict user privileges to only what is necessary for their job functions. This can limit the damage a ransomware attack can cause.
Disable Autorun: Disable the autorun feature for removable media to prevent malware from automatically executing when a USB drive or other external device is connected.
Enable Multi-Factor Authentication: Implement it on all accounts that support.
Monitor System Activity: Be vigilant for unusual system behavior, such as unexpected high CPU usage, excessive disk activity, or the appearance of unfamiliar files.
Incident Response Plan: Should have a plan for how to react.
Cybersecurity Audit: For organizations it is recommended a professional assessment.
Conclusion
Big Head ransomware, while not yet a dominant force in the cybercrime landscape, represents a growing and evolving threat, particularly to individual consumers. Its deceptive tactics, such as masquerading as Windows updates, coupled with its expanding capabilities (data stealing and file infection), make it a danger that should not be underestimated. The rapid development of multiple variants and the global distribution of samples highlight the need for vigilance and proactive security measures. By understanding Big Head's tactics, techniques, and procedures, and by implementing strong defenses, individuals and organizations can significantly reduce their risk of falling victim to this emerging ransomware threat. Continuous monitoring of the threat landscape and adaptation of security strategies are crucial in the ongoing fight against ransomware. SOAR vs SIEM vs XDR understanding key differences
Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this.
You may also like these articles:
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
