Security researchers have dissected a recently emerged ransomware strain named ‘Big Head’ that may be spreading through malvertising that promotes fake Windows updates and Microsoft Word installers.
Two samples of the malware have been analyzed before by cybersecurity company Fortinet, who looked at the infection vector and how the malware executes.
Today, Trend Micro published a technical report on Big Head that claiming that both variants and a third they sampled originate from a single operator who is likely experimenting with different approaches to optimize their attacks.
Faking a Windows update
‘Big Head’ ransomware is a .NET binary that installs three AES-encrypted files on the target system: one is used to propagate the malware, another is for Telegram bot communication, and the third encrypts files and can also show the user a fake Windows update.
Big Head's infection routine (Trend Micro)
On execution, the ransomware also performs actions such as creating a registry autorun key, overwriting existing files if needed, setting system file attributes, and disabling the Task Manager.
Creating the Registry Autorun (Trend Micro)
Each victim is assigned a unique ID that’s either retrieved from the %appdata%ID directory or it is generated using a random 40-character string.
The ransomware deletes shadow copies to prevent easy system restoration before encrypting the targeted files and appending a “.poop” extension to their filenames.
File types targeted by Big Head (Trend Micro)
Also, Big Head will terminate the following processes to prevent tampering with the encryption process and to free up data that ..
Support the originator by clicking the read the rest link below.
