X-Industry

On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The below report aims to provide readers with brief insights into the evolving ransomware landscape variants.

Big Head Ransomware Overview – Researchers recently came across a new ransomware variant called Big Head, which came out in May 2023.  Although there are at least three variants of Big Head ransomware, all are designed to encrypt files on victims’ machines to extort money, like other ransomware variants.

Infection Vector

One Big Head ransomware variant displays a fake Windows Update, potentially indicating that the ransomware was also distributed as a fake Windows Update.  One of the variants has a Microsoft Word icon and was likely distributed as counterfeit software.  At this time, there is no indication that Big Head is widespread.

Ransomware Execution

Researchers are aware of at least two variants of Big Head ransomware, which we have named variants A and B.

Variant A - Once Big Head ransomware variant A is executed, it displays a fake Windows Update screen to trick users into believing that legitimate actions are occurring behind the scenes.

Figure 1. Fake Windows Update screen shown by the Big Head ransomware variant A

The fake Windows Update lasts about 30 seconds and automatically closes.  By the time the phony update is done, the ransomware has already encrypted files on compromised machines with file names randomly altered.

Figure 2. Files encrypted by the Big Head ransomware variant A and its ransom note.

The ransomware then opens a ransom note labeled “README_[random seven digits number] that demands victims contact the attacker via email or telegram for file decryption and data leak.

Figure 3. Ransom note left by the Big Head ransomware variant A

Big Head ransomware variant A has also been seen to leave a slightly different version of the ransom note, including the attacker’s Bitcoin address for “immediate ransom payment.”

Figure 4. Alternative ransom note left by the Big Head ransomware variant A

Variant B

While the Big Head ransomware variant B did not encrypt any files in our test environment, it is designed to encrypt files on compromised machines.  Our analysis found that variant B uses a PowerShell file named “cry.ps1” for file encryption.  The variant B does not drop cry.ps1 in some cases, and file encryption does not occur.  However, it does not stop variant B from replacing the Desktop wallpaper with its own containing ransom note.  Like variant A, the ransom note requests that victims contact the attacker using the same email address or telegram channel.  The difference is that a  ransom fee of one Bitcoin is included in the variant B ransom note.  The relatively low ransom fee indicates that Big Head ransomware is used to target consumers rather than enterprises.

Figure 5. Desktop wallpaper replaced by the Big Head ransomware variant B

Variant B separately drops a ransom note labeled “Read Me First!/txt” with the same ransom message as the wallpaper.

Figure 6. Ransom note left by the Big Head ransomware variant B

Variant B also tries to open the attacker’s Github page on a default Web browser; however, the page is unavailable because it has been removed or shut down.

The attacker’s Bitcoin wallet recorded two transactions: one in December 2022 for $313.93, the other in August of the same year for $70.07. Since the Big Head ransomware came out in May 2023, those transactions do not appear to be related to the ransomware variant.

Ransomware of the Same Stripe

FortiGuard Labs found another ransomware variant that, based on the Bitcoin wallet and email address, was likely used by the same attacker.  This ransomware was also submitted to a publicly available file scanning service in May 2023, the same month the Big Head ransomware variants were made available. This ransomware variant encrypts files and appends the attacker’s contact email address, “poop69new@[redacted],” to the file names.  It also replaces the desktop wallpaper with its own that includes the following ransom note.

Figure 7. Wallpaper replaced by another ransomware used by the same attacker

It also leaves an alternative ransom note labeled “read_it.txt”.

Figure 8. Ransom note left behind by another ransomware used by the same attacker

Victimology - Most of the Big Head ransomware samples were submitted from the United States. Another ransomware used by the same attacker was submitted from the United States, Spain, France, and Turkey. 

FortiGuard Labs detects known Big Head ransomware variants with the following AV signatures:

• MSIL/Fantom.R!tr.ransom
• MSIL/Agent.FOV!tr
• MSIL/Kryptik.AGXL!tr
• MSIL/ClipBanker.MZ!tr.ransom

IOCs:

File-based IOCs:

This article is presented at no charge for educational and informational purposes only.[1]

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com

Weekly Cyber Intelligence Briefings:

• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

• https://attendee.gotowebinar.com/register/5504229295967742989

[1] https://www.fortinet.com/blog/threat-research/fortiguard-labs-ransomware-roundup-big-head?lctg=141970831