Big Head Ransomware

Security researchers have identified a new and emerging strain of ransomware called 'Big Head' that has raised concerns due to its potential to inflict substantial damage once fully operational. Multiple distinct versions of Big Head have been analyzed, revealing its diverse and multifaceted nature, which poses significant challenges for future mitigation efforts.

The developers behind Big Head display a certain level of experience, although they may not be considered highly sophisticated threat actors. Their ability to incorporate various functionalities within the malware, including stealers, infectors, and ransomware samples, is particularly alarming. This multifaceted approach grants the malware the capability to cause significant harm when it reaches its full operational capacity. Defending against Big Head becomes more challenging due to the need to address each attack vector separately.

Given the complex nature of Big Head and its potential to evolve further, security experts are apprehensive about the implications and impact it may have on targeted systems. The multifunctional design of the malware requires organizations and security professionals to adopt a comprehensive approach to defense, focusing on multiple aspects and vulnerabilities simultaneously.

Attackers Use Fake Microsoft Advertisements as Lures

The Big Head Ransomware has been observed being distributed through malvertisements, which are corrupted advertisements disguised as fake Windows updates or Word installers.

Upon infection, Big Head presents a deceptive user interface that mimics a legitimate Windows Update process, tricking victims into believing the malicious activity is a genuine software update.

In one instance of Big Head analysis, three binaries were discovered, each serving different functions on the targeted system. These functions included file encryption, the deployment of a Telegram bot that interacted with the threat actor's chatbot ID, the display of the fake Windows update UI, and the installation of ransom notes as Read Me files and wallpaper.

The executable responsible for the Telegram bot, named teleratserver.exe, was a 64-bit Python-compiled binary. This executable accepted commands such as 'start,' 'help,' 'screenshot,' and 'message' to establish communication between the victim and the threat actor using the messaging application

The Big Head Ransomware Versions with Expanded Functionality Have been Discovered

In another instance, a second sample of the Big Head Ransomware demonstrated additional capabilities for stealing data. It incorporated the WorldWind Stealer malware, which facilitated the collection of various types of information. This included the browsing history from all available web browsers, lists of directories and running processes on the infected system, a replica of drivers, and a screenshot of the screen captured after the malware was executed.

Furthermore, a third sample of the Big Head Ransomware carried Neshta, a malware designed to distribute viruses by injecting malicious code into executable files. Researchers highlighted that integrating Neshta into the ransomware deployment serves as a camouflage technique for the final Big Head Ransomware payload. By doing so, the malware can mask its true nature and appear as a different type of threat, such as a virus. This tactic aims to divert the attention and prioritization of security solutions that primarily focus on detecting ransomware.

The inclusion of these additional functionalities and the utilization of camouflage techniques demonstrate the evolving complexity and sophistication of the Big Head Ransomware. By incorporating data-stealing capabilities and leveraging other malware components, Big Head attempts to gather valuable information, disguise its true intent, and potentially circumvent security measures that primarily target ransomware.