“Big Head” ransomware masquerading as Windows update
Written By: Haydn Crossland
Windows updates are by no means uncommon, in fact your Windows operating system checks for updates every day. From a security perspective
Modus Operandi
Big Head was first identified in May 2023 by FortiGuard Labs, the threat intelligence and research organization at Fortinet in the UK, who described its severity level as “High”.
Big Head employs methods shared with other members of the ransomware family. Such as the deletion of registry keys in order to prevent access to stored backups, either locally or in the cloud. This in turn denies the user any easy chance of restoration.
The ransomware establishes communication with the attacker via Telegram, an encrypted instant messaging service, before encrypting all files on the recipients machine, ironically appending them with the extension “.poop”. All while the target is presented with the spoof Windows update that is effectively locking them out of their own files.
The ransomware carefully selects its targets, it knows to self-delete in certain instances, such as being put in a ‘sandbox’ environment, where it is likely to be analysed and mitigated. A good example of the ransomware terminating itself is when it detects that the system language belongs to a member of the Commonwealth of Independent States – languages would include Russian, Belarusian, Ukrainian, Kazakh, Kyrgyz, Armenian, Georgian, and Uzbekistan. Whether this is an indicator of its origin, or a false flag is not yet known.
Arbitrary Code Execution (ACE) is the goal when it comes to delivering ransomware. ACE provides the attacker with a platform to execute the payload, by that we mean running a specific malicious file on the targets machine. Targets can be compromised, and give the attacker the ability to execute arbitrary code, through a number of methods, here’s three examples:
? Through the delivery of phishes
? Visiting infected websites
? Via a remote desktop session
The Big Head ransomware is no different. Due to its appearance as a genuine Microsoft Windows update, it is likely that attackers will employ social engineering technique
The attackers intentions in this case are primarily for financial gain
Why does this matter?
Big Head ransomware is indiscriminate in nature, whether you are an individual, a small business or a large corporation, everyone is a potential target. Making the assumption ‘I’m too small for an attacker to be interested in me’ simply will not work.
It is common for malware to evolve and in this case there are three different versions, indicating that the author may be testing and refining in preparation for a more sophisticated attack. Gaining an awareness of this ransomware and its warning signs is advantageous in defending against it, prevention is better than remediation. Something reiterated by regulators as they do not consider paying the ransom as an appropriate measure. Businesses must inform the ICO and consider this as a data breach once the system is compromised.
How to Protect Yourself
The advice for protecting yourself against ransomware
? Ensure users are aware of how to spot the signs of malicious emails, malicious sites and social engineering techniques.
领英推荐
? Filtering and monitoring emails to identify known bad actors.
? Use antivirus programs on clients and servers, with automatic updates of signatures and software.
? Backups can help to restore data encrypted by ransomware, however they are also a target for ransomware. To help protect against a determined threat actor, they must be kept offline.
? Regularly test backups for their integrity and if they can be recovered. Scan backups for registry persistence.
? Isolate the compromised device from the network.
In the case of Big Head ransomware it is crucial to remember that Windows updates are accessible through “Settings” and “Windows Update”.
IOC Hashes can be found here: https://www.fortinet.com/blog/threat-research/fortiguard-labs-ransomware-roundup-big-head
Conclusion
Big Head ransomware is relatively new and appears to be targeting mainly US customers. However this article should serve as a reminder of the severity of being the target of any ransomware and the ways in which it can be mitigated.
Prevention is easier than remediation when it comes to responding to a ransomware attack.
References
Include URLs of visited websites here:
You’re the CAT'S WHISKERS at what you do ?? but are your graphics a dog's dinner? ?? it’s okay – you just need Word Up! ?? Branding | Copywriting | Digital/Print ready artworks that DO reflect YOUR EXPERTISE!
1 年There's my weekend reading then guys ??
Chief Operating Officer, Senior Leader & People Manager
1 年Great article (not that I'm bias!), serves as a reminder that we're all susceptible to ransomware attacks.