Threat Research

Tailing Big Head Ransomware’s Variants, Tactics, and Impact

TrendMicro

Trend Micro analyzes the Big Head ransomware family and its multiple variants, detailing their infection chain, embedded resource decryption, dropped binaries, and operational behaviors. The report highlights use of AES and RSA for encryption, Telegram-based command channels, stealer and file-infector components (including Neshta and WorldWind stealer), and destructive actions like deleting shadow copies. #BigHead #Neshta #WorldWindStealer

Keypoints

  • Big Head is a new ransomware family with multiple variants that share a common contact email and similar infection routines.
  • Samples are likely distributed via malvertising as fake Windows updates or fake Word installers and include .NET and Python-compiled components.
  • Main sample embeds three encrypted binaries decrypted with AES-ECB using an MD5-derived key from a hard-coded mutex value.
  • Dropped binaries include a Telegram-based communication agent (teleratserver.exe), a fake Windows Update UI encryptor (BXIuSsB.exe), and a propagator (1.exe); variants also include a stealer (WorldWind) and a Neshta file infector.
  • Ransomware encrypts many data/DB/file types (appending “.poop” or variant suffixes), disables Task Manager, deletes shadow copies/backups, and self-deletes after execution.
  • Persistence techniques include creating autorun/RunOnce registry entries and dropping copies under %localappdata% or hidden temp folders.

MITRE Techniques

  • [T1547.001] Boot or Logon Autostart Execution – Creates autorun/RunOnce registry entries to maintain persistence (‘create an autorun registry entry’).
  • [T1490] Inhibit System Recovery – Deletes shadow copies and backups using vssadmin/wmic/bcdedit/wbadmin commands (‘/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet’).
  • [T1486] Data Encrypted for Impact – Encrypts files (AES/RSA hybrid) and appends custom extensions (e.g., ‘.poop’) to render data inaccessible (‘checks for the extension “.r3d” before encrypting and appending the “.poop” extension’).
  • [T1102] Web Service – Uses a Telegram bot/binary as a communication channel between victim and operator (‘a Telegram bot responsible for establishing communication with the threat actor’s chatbot ID’).
  • [T1113] Screen Capture – Captures screenshots as part of data collection by the stealer component (‘Screenshot of the screen after running the file’).
  • [T1005] Data from Local System – Collects local artifacts such as browsing history, product keys, running processes, and directory listings via WorldWind stealer (‘Browsing history of all available browsers’, ‘Product key’).
  • [T1562.001] Impair Defenses: Disable or Modify Tools – Disables Task Manager to hinder user remediation (‘disables the Task Manager’).
  • [T1497.001] Virtualization/Sandbox Evasion – Detects virtual environments by checking for strings like VBOX, Virtual, or VMware and related processes (‘checks for strings like VBOX, Virtual, or VMware in the disk enumeration registry’).
  • [T1070.004] Indicator Removal on Host: File Deletion – Uses a SelfDelete routine that runs a batch file to remove the malware and its artifacts (‘delete the malware executable and the batch file itself’).
  • [T1140] Deobfuscate/Decode Files or Information – Decrypts embedded resource binaries using AES-ECB with a key derived from the MD5 of a hard-coded mutex to extract payloads (‘AES decryption with the electronic codebook (ECB) mode’ and ‘decryption key used is derived from the MD5 hash of the mutex’).
  • [T1036] Masquerading – Presents a fake Windows Update UI to disguise malicious activity and deceive users (‘displays a fake Windows update to deceive the victim into thinking that the malicious activity is a legitimate process’).

Indicators of Compromise

  • [SHA256 hashes] sample identifiers – 6d27c1b457a34ce9edfb4060d9e04eb44d021a7b03223ee72ca569c8c4215438, 2a36d1be9330a77f0bc0f7fdc0e903ddd99fcee0b9c93cb69d2f0773f0afd254 (and 1 more hash)
  • [Mutex/MTX values] decryption keys / runtime markers – 8bikfjjD4JpkkAqrz (used to derive MD5 key), 2AESRvXK5jbtN9Rvh (used to decrypt 1.exe)
  • [File names] dropped/included binaries – 1.exe, teleratserver.exe, BXIuSsB.exe (and other names like archive.exe, Xarch.exe, discord.exe)
  • [File paths / registry] persistence and markers – %appdata%ID (victim ID file), HKCUSoftwareMicrosoftWindowsCurrentVersionRun (persistence entry), %localappdata%discord.exe (dropped copy)
  • [Extensions / ransom suffixes] encrypted file indicators – ‘.poop’, ‘.poop69news@[REDACTED]’ (used as appended suffixes on encrypted files)
  • [URLs / accounts] operator contact channels – hxxps[:]//t[.]me/[REDACTED]_69 (Telegram redirect), hxxps[:]//github[.]com/[REDACTED]_69 (GitHub link opened by sample)
  • [Command lines] destructive or execution commands – ‘vssadmin delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures’ (used to remove backups/recovery)

Big Head’s technical procedure begins with distribution via malvertising (fake Windows updates/Word installers). The main .NET parent sample contains encrypted resources (1.exe, archive.exe, Xarch.exe) that the loader decrypts using AES-ECB; the AES key is derived from the MD5 hash of a hard-coded mutex (e.g., “8bikfjjD4JpkkAqrz”), so extracting the mutex and computing its MD5 is required to recover embedded payloads. After decrypting, the parent drops and executes binaries: a propagator/loader (1.exe) that creates autorun entries and copies itself to %localappdata% (discord.exe), a Python-compiled Telegram agent (teleratserver.exe) for operator interaction, and an encryptor (BXIuSsB.exe) that displays a fake Windows Update UI to mask encryption progress.

Encryption and post-infection actions use both symmetric and asymmetric cryptography: payloads generate random symmetric keys (e.g., 32-character keys) used to encrypt files with AES and then encrypt those keys with RSA-2048 (public key embedded) for storage in ransom notes. Some samples specifically target files with custom criteria (e.g., files ending in ‘.r3d’ get AES-encrypted and renamed with ‘.poop’), while broader variants enumerate and encrypt a long list of data and database extensions. The ransomware also performs defensive and evasive operations: it detects virtualized/sandbox environments (searching for VBOX/VMware indicators), disables Task Manager, terminates database and office-related processes, deletes shadow copies/backups with vssadmin/wmic/bcdedit/wbadmin commands to prevent recovery, and finally may self-delete via a batch script.

Variants extend capabilities by bundling additional components: one sample drops WorldWind stealer (Server.exe) to harvest browsing history, product keys, running processes, and screenshots; another uses Neshta as a file infector to insert code into executables and drop directx.sys with infection metadata. Persistence is achieved through Run/RunOnce registry keys and hidden drop folders (e.g., %temp%Adobe). Command-and-control and operator contact rely on Telegram channels and published URLs; investigators should collect mutex strings, embedded MTX-derived keys, hashes of decrypted payloads, and the listed IOCs to detect and remediate infections. Read more: https://www.trendmicro.com/en_us/research/23/g/tailing-big-head-ransomware-variants-tactics-and-impact.html

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint