New ‘Big Head’ ransomware displays fake Windows update alert

big head

Security researchers have dissected a recently emerged ransomware strain named ‘Big Head’ that may be spreading through malvertising that promotes fake Windows updates and Microsoft Word installers.

Two samples of the malware have been analyzed before by cybersecurity company Fortinet, who looked at the infection vector and how the malware executes.

Today, Trend Micro published a technical report on Big Head that claiming that both variants and a third they sampled originate from a single operator who is likely experimenting with different approaches to optimize their attacks.

Faking a Windows update

‘Big Head’ ransomware is a .NET binary that installs three AES-encrypted files on the target system: one is used to propagate the malware, another is for Telegram bot communication, and the third encrypts files and can also show the user a fake Windows update.

Big Head's infection routine
Big Head’s infection routine (Trend Micro)

On execution, the ransomware also performs actions such as creating a registry autorun key, overwriting existing files if needed, setting system file attributes, and disabling the Task Manager.

Modifying the victim's registry
Creating the Registry Autorun (Trend Micro)

Each victim is assigned a unique ID that’s either retrieved from the %appdata%\ID directory or it is generated using a random 40-character string.

The ransomware deletes shadow copies to prevent easy system restoration before encrypting the targeted files and appending a “.poop” extension to their filenames.

Filetypes targeted by Big Head
File types targeted by Big Head (Trend Micro)

Also, Big Head will terminate the following processes to prevent tampering with the encryption process and to free up data that the malware should lock.

Processes terminated before encryption
Processes terminated before encryption (Trend Micro)

The Windows, Recycle Bin, Program Files, Temp, Program Data, Microsoft, and App Data directories are skipped from encryption to avoid rendering the system unusable.

Trend Micro has found that the ransomware checks if it runs on a virtual box, looks for the system language, and only proceeds to the encryption if it’s not set on that of a country member of the Commonwealth of Independent States (former Soviet states).

System languages valid for encryption
System languages valid for encryption (Trend Micro)

During the encryption, the ransomware displays a screen that purports to be a legitimate Windows update.

Fake Windows update presented to the victim
Fake Windows update masking the file encryption (Trend Micro)

After the encryption process completes, the following ransom is dropped on multiple directories, and the victim’s wallpaper is also changed to alert of the infection.

Wallpaper and ransom note
Wallpaper and ransom note (Trend Micro)

Other variants

Trend Micro also analyzed two more Big Head variants, highlighting some key differences compared to the standard version of the ransomware.

The second variant maintains ransomware capabilities but also incorporates stealer behavior with functions to collect and exfiltrate sensitive data from the victim system.

The data that this version of Big Head can steal include browsing history, list of directories, installed drivers, running processes, product key, and active networks, and it can also capture screenshots.

Second variant infection routine
Second variant infection routine (Trend Micro)

The third variant, discovered by Trend Micro, features a file infector identified as “Neshta,” which inserts malicious code into executables on the breached system.

Although the exact purpose of this is unclear, Trend Micro’s analysts speculate that it could be to evade detection that relies on signature-based mechanisms.

Notably, this variant uses a different ransom note and wallpaper from the other two, yet it is still tied to the same threat actor.

Third variant infection routine
Third variant infection routine (Trend Micro)


Trend Micro comments that Big Head is not a sophisticated ransomware strain, its encryption methods are pretty standard, and its evasion techniques are easy to detect.

How to decrypt any ransomware free

Nevertheless, it appears to focus on consumers who can be fooled with easy tricks (e.g. fake Windows update) or they have difficulty understanding the safeguards necessary to steer away from cybersecurity risks.

The multiple variants in circulation suggest that the creators of Big Head are continuously developing and refining the malware, experimenting with various approaches to see what works best.

Update 7/10/23 – Cyber-intelligence firm KELA shared additional information with BleepingComputer, indicating that Big Head’s main author is likely of Indonesian origin.

KELA’s analysts have discovered a user on Telegram using the same names and avatars as those found in Big Head’s ransom note, claiming to be a “ransomware expert” on posts published on “IndoGhostsec.”

Big head
Big Head’s author on Telegram (KELA)

The user switched the group’s name from ‘BIG HEAD HACKER!’ to ‘BLACKHAT HACKER INDONESIA’ in June 2022, while in March 2023, he started seeking the help of other members in his effort to create a ransomware builder and other relevant tools.

Threat actor’s post on Telegram (KELA)

About Fattain Naime

Hi, my name is Fattain Naime and I am a computer engineer and young entrepreneur. After graduating, I decided to follow my passion and start my own company, Builder Hall Pvt. Ltd. I am dedicated to using my technical skills and entrepreneurial spirit to create innovative solutions for my clients.Throughout my academic and professional career, I have developed a strong foundation in computer engineering principles, including programming languages, data structures, and algorithms. I have also gained experience in project management and business development, which has allowed me to successfully lead my own company.Since founding Builder Hall, I have worked tirelessly to build a team of talented professionals and bring cutting-edge technology solutions to the market. Our focus is on providing our clients with the best possible experience and helping them to achieve their business goals through the use of technology.In my role as CEO, I have been responsible for leading the company's strategy and overseeing all aspects of operations. I am constantly seeking out new opportunities for growth and expansion, and I am committed to building a culture of excellence within the company.Outside of work, I am an avid reader and enjoy staying up-to-date on the latest developments in the tech industry. I also enjoy spending time with my family and staying active through sports and fitness activities.If you're looking for a dynamic, driven computer engineer with a passion for entrepreneurship, don't hesitate to reach out and connect with me on LinkedIn. I'm always open to discussing new opportunities and ideas. Make the world easier.I am excited to share my skills and experience with others, and I hope to connect with like-minded individuals who are passionate about technology and entrepreneurship. Thank you for visiting my profile.

View all posts by Fattain Naime →

Leave a Reply

Your email address will not be published. Required fields are marked *