“Big Head” ransomware masquerading as Windows update

Written By: Haydn Crossland

Windows updates are by no means uncommon, in fact your Windows operating system checks for updates every day. From a security perspective, these updates help to ‘harden’ systems by installing patches for known security issues called vulnerabilities. Patching vulnerabilities is an integral part of organisational best practise in achieving a good security posture. Subsequently, updates should be a common sight for most users. In this article we look at how the ransomware “Big Head” is exploiting this common sight, by masquerading as a Windows update.

Modus Operandi

Big Head was first identified in May 2023 by FortiGuard Labs, the threat intelligence and research organization at Fortinet in the UK, who described its severity level as “High”.

Big Head employs methods shared with other members of the ransomware family. Such as the deletion of registry keys in order to prevent access to stored backups, either locally or in the cloud. This in turn denies the user any easy chance of restoration.

The ransomware establishes communication with the attacker via Telegram, an encrypted instant messaging service, before encrypting all files on the recipients machine, ironically appending them with the extension “.poop”. All while the target is presented with the spoof Windows update that is effectively locking them out of their own files.

The ransomware carefully selects its targets, it knows to self-delete in certain instances, such as being put in a ‘sandbox’ environment, where it is likely to be analysed and mitigated. A good example of the ransomware terminating itself is when it detects that the system language belongs to a member of the Commonwealth of Independent States – languages would include Russian, Belarusian, Ukrainian, Kazakh, Kyrgyz, Armenian, Georgian, and Uzbekistan. Whether this is an indicator of its origin, or a false flag is not yet known.

Arbitrary Code Execution (ACE) is the goal when it comes to delivering ransomware. ACE provides the attacker with a platform to execute the payload, by that we mean running a specific malicious file on the targets machine. Targets can be compromised, and give the attacker the ability to execute arbitrary code, through a number of methods, here’s three examples:

? Through the delivery of phishes

? Visiting infected websites

? Via a remote desktop session

The Big Head ransomware is no different. Due to its appearance as a genuine Microsoft Windows update, it is likely that attackers will employ social engineering technique, such as posing as a Microsoft employee.

The attackers intentions in this case are primarily for financial gain. With the ransom requesting that a single bitcoin be transferred to their wallet, in exchange for the recipient to be able to decrypt their files. At the time of writing the value of a single bitcoin is in excess of ￡23,000. Seemingly the Big Head ransomware doesn’t have the ability to differentiate whether its attacking an individual or a large corporation as the payload leaves the hardcoded ransom note on the desktop after compromising the system.

Why does this matter?

Big Head ransomware is indiscriminate in nature, whether you are an individual, a small business or a large corporation, everyone is a potential target. Making the assumption ‘I’m too small for an attacker to be interested in me’ simply will not work.

It is common for malware to evolve and in this case there are three different versions, indicating that the author may be testing and refining in preparation for a more sophisticated attack. Gaining an awareness of this ransomware and its warning signs is advantageous in defending against it, prevention is better than remediation. Something reiterated by regulators as they do not consider paying the ransom as an appropriate measure. Businesses must inform the ICO and consider this as a data breach once the system is compromised.

How to Protect Yourself

The advice for protecting yourself against ransomware in general applies. It is important to have sufficient controls at all stages – delivery, execution and disaster recovery:

? Ensure users are aware of how to spot the signs of malicious emails, malicious sites and social engineering techniques.

? Filtering and monitoring emails to identify known bad actors.

? Use antivirus programs on clients and servers, with automatic updates of signatures and software.

? Backups can help to restore data encrypted by ransomware, however they are also a target for ransomware. To help protect against a determined threat actor, they must be kept offline.

? Regularly test backups for their integrity and if they can be recovered. Scan backups for registry persistence.

? Isolate the compromised device from the network.

In the case of Big Head ransomware it is crucial to remember that Windows updates are accessible through “Settings” and “Windows Update”.

IOC Hashes can be found here: https://www.fortinet.com/blog/threat-research/fortiguard-labs-ransomware-roundup-big-head

Conclusion

Big Head ransomware is relatively new and appears to be targeting mainly US customers. However this article should serve as a reminder of the severity of being the target of any ransomware and the ways in which it can be mitigated.

Prevention is easier than remediation when it comes to responding to a ransomware attack.

References

Include URLs of visited websites here:

https://www.fortinet.com/blog/threat-research/fortiguard-labs-ransomware-roundup-big-head

https://www.trendmicro.com/en_us/research/23/g/tailing-big-head-ransomware-variants-tactics-and-impact.html

https://heimdalsecurity.com/blog/new-ransomware-strain-discovered-big-head

https://www.techradar.com/pro/watch-out-that-windows-update-could-actually-just-be-ransomware

https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2022/07/ico-and-ncsc-stand-together-against-ransomware-payments-being-made/

https://www.coinbase.com/price/bitcoin