FortiGuard Labs Threat Research
Ransomware Roundup - Big Head
FortiGuard Labs came across two new ransomware variants, “Big Head” and another likely used by the same attacker, targeting consumers to extort money.
On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.
This latest edition of the Ransomware Roundup covers the Big Head ransomware.
Affected platforms: Microsoft Windows
Impacted parties: Microsoft Windows Users
Impact: Encrypts files on the compromised machine and demands ransom for file decryption
Severity level: High
Big Head Ransomware
Overview
FortiGuard Labs recently came across a new ransomware variant called Big Head, which came out in May 2023. Although there are at least three variants of Big Head ransomware, all are designed to encrypt files on victims’ machines to extort money, like other ransomware variants.
Infection Vector
One Big Head ransomware variant displays a fake Windows Update, potentially indicating that the ransomware was also distributed as a fake Windows Update. One of the variants has a Microsoft Word icon and was likely distributed as counterfeit software.
At the time of this research, there is no indication that Big Head is widespread.
Ransomware Execution
FortiGuard Labs is aware of at least two variants of Big Head ransomware, which we have named variants A and B.
Variant A
Once Big Head ransomware variant A is executed, it displays a fake Windows Update screen to trick users into believing that legitimate actions are occurring behind the scenes.
Figure 1. Fake Windows Update screen shown by the Big Head ransomware variant A
The fake Windows Update lasts about 30 seconds and automatically closes. By the time the phony update is done, the ransomware has already encrypted files on compromised machines with file names randomly altered.
Figure 2. Files encrypted by the Big Head ransomware variant A and its ransom note
The ransomware then opens a ransom note labeled “README_[random seven digits number] that demands victims contact the attacker via email or telegram for file decryption and data leak.
Figure 3. Ransom note left by the Big Head ransomware variant A
Big Head ransomware variant A has also been seen to leave a slightly different version of the ransom note, including the attacker’s Bitcoin address for “immediate ransom payment.”
Figure 4. Alternative ransom note left by the Big Head ransomware variant A
Variant B
While the Big Head ransomware variant B did not encrypt any files in our test environment, it is designed to encrypt files on compromised machines. Our analysis found that variant B uses a PowerShell file named “cry.ps1” for file encryption. The variant B does not drop cry.ps1 in some cases, and file encryption does not occur. However, it does not stop variant B from replacing the Desktop wallpaper with its own containing ransom note. Like variant A, the ransom note requests that victims contact the attacker using the same email address or telegram channel. The difference is that a ransom fee of one Bitcoin is included in the variant B ransom note. The relatively low ransom fee indicates that Big Head ransomware is used to target consumers rather than enterprises.
Figure 5. Desktop wallpaper replaced by the Big Head ransomware variant B
Variant B separately drops a ransom note labeled “Read Me First!/txt” with the same ransom message as the wallpaper.
Figure 6. Ransom note left by the Big Head ransomware variant B
Variant B also tries to open the attacker’s Github page on a default Web browser; however, the page is unavailable because it has been removed or shut down.
The attacker’s Bitcoin wallet recorded two transactions: one in December 2022 for $313.93, the other in August of the same year for $70.07. Since the Big Head ransomware came out in May 2023, those transactions do not appear to be related to the ransomware variant.
Ransomware of the Same Stripe
FortiGuard Labs found another ransomware variant that, based on the Bitcoin wallet and email address, was likely used by the same attacker. This ransomware was also submitted to a publicly available file scanning service in May 2023, the same month the Big Head ransomware variants were made available. This ransomware variant encrypts files and appends the attacker’s contact email address, “poop69new@[redacted],” to the file names. It also replaces the desktop wallpaper with its own that includes the following ransom note.
Figure 7. Wallpaper replaced by another ransomware used by the same attacker
It also leaves an alternative ransom note labeled “read_it.txt”.
Figure 8. Ransom note left behind by another ransomware used by the same attacker
Victimology
Most of the Big Head ransomware samples were submitted from the United States. Another ransomware used by the same attacker was submitted from the United States, Spain, France, and Turkey.
Fortinet Protections
Fortinet customers are already protected from this malware variant through AntiVirus, and FortiEDR services, as follows:
FortiGuard Labs detects known Big Head ransomware variants with the following AV signatures:
- MSIL/Fantom.R!tr.ransom
- MSIL/Agent.FOV!tr
- MSIL/Kryptik.AGXL!tr
- MSIL/ClipBanker.MZ!tr.ransom
The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. Fortinet EPP customers running current AntiVirus updates are also protected.
IOCs
File-based IOCs:
SHA256 |
Malware |
2a36d1be9330a77f0bc0f7fdc0e903ddd99fcee0b9c93cb69d2f0773f0afd254 |
Big Head ransomware |
39caec2f2e9fda6e6a7ce8f22e29e1c77c8f1b4bde80c91f6f78cc819f031756 |
|
40e5050b894cb70c93260645bf9804f50580050eb131e24f30cb91eec9ad1a6e |
|
64246b9455d76a094376b04a2584d16771cd6164db72287492078719a0c749ab |
|
6d27c1b457a34ce9edfb4060d9e04eb44d021a7b03223ee72ca569c8c4215438 |
|
9c1c527a826d16419009a1b7797ed20990b9a04344da9c32deea00378a6eeee2 |
|
ae927feae84239c7f56a2c49aadb02dc318ef4be2860353b6a2428bdbbf0ae71 |
|
bcf8464d042171d7ecaada848b5403b6a810a91f7fd8f298b611e94fa7250463 |
|
dcfa0fca8c1dd710b4f40784d286c39e5d07b87700bdc87a48659c0426ec6cb6 |
|
1942aac761bc2e21cf303e987ef2a7740a33c388af28ba57787f10b1804ea38e
|
Another ransomware used by the same attacker |
f59c45b71eb62326d74e83a87f821603bf277465863bfc9c1dcb38a97b0b359d |
FortiGuard Labs Guidance
Due to the ease of disruption, damage to daily operations, potential impact to an organization’s reputation, and the unwanted destruction or release of personally identifiable information (PII), etc., it is vital to keep all AV and IPS signatures up to date.
Since the majority of ransomware is generally delivered via phishing, organizations should consider leveraging Fortinet solutions designed to train users to understand and detect phishing threats:
The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.
Our FREE NSE training: NSE 1 – Information Security Awareness includes a module on internet threats designed to help end users learn how to identify and protect themselves from various types of phishing attacks and can be easily added to internal training programs.
Organizations will need to make foundational changes to the frequency, location, and security of their data backups to effectively deal with the evolving and rapidly expanding risk of ransomware. When coupled with digital supply chain compromise and a workforce telecommuting into the network, there is a real risk that attacks can come from anywhere. Cloud-based security solutions, such as SASE, to protect off-network devices; advanced endpoint security, such as EDR (endpoint detection and response) solutions that can disrupt malware mid-attack; and Zero Trust Access and network segmentation strategies that restrict access to applications and resources based on policy and context, should all be investigated to minimize risk and to reduce the impact of a successful ransomware attack.
As part of the industry's leading fully integrated Security Fabric, delivering native synergy and automation across your security ecosystem, Fortinet also provides an extensive portfolio of technology and human-based as-a-service offerings. These services are powered by our global FortiGuard team of seasoned cybersecurity experts.
Best Practices include Not Paying a Ransom
Organizations such as CISA, NCSC, the FBI, and HHS caution ransomware victims against paying a ransom partly because payment does not guarantee that files will be recovered. According to a U.S. Department of Treasury's Office of Foreign Assets Control (OFAC) advisory, ransom payments may also embolden adversaries to target additional organizations, encourage other criminal actors to distribute ransomware, and/or fund illicit activities that could potentially be illegal. For organizations and individuals affected by ransomware, the FBI has a Ransomware Complaint page where victims can submit samples of ransomware activity via their Internet Crimes Complaint Center (IC3).
How Fortinet Can Help
FortiGuard Labs’ Emergency Incident Response Service provides rapid and effective response when an incident is detected. And our Incident Readiness Subscription Service provides tools and guidance to help you better prepare for a cyber incident through readiness assessments, IR playbook development, and IR playbook testing (tabletop exercises).
Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard AI-powered security services portfolio.
