Threat Research

Dark Web Profile: Big Head Ransomware – SOCRadar® Cyber Intelligence Inc.

Securonix

Big Head Ransomware is a nascent ransomware family first seen in May 2023, consisting of multiple variants and an elusive actor behind it. It uses deceptive methods such as fake Windows updates and malvertising, communicates with victims via Gmail and Telegram, and relies on tools like Mimikatz, PsExec, Cobalt Strike, and Empire PowerShell, posing a global risk to consumers. hashtags: #BigHeadRansomware #Ryzerlo #RansomMSILRyzerloA #Telegram

Keypoints

  • Big Head Ransomware emerged in May 2023 as a family with multiple variants; the actor behind it remains elusive, with possible Bahasa-speaking/Indonesian ties.
  • It employs deceptive methods, including fake Windows updates and counterfeit Microsoft Word installers, to coax victims into execution.
  • Initial access is attributed to malvertising, phishing emails, malicious attachments, and compromised websites.
  • Tools observed with its operation include Mimikatz, PsExec, Cobalt Strike, and Empire PowerShell.
  • The ransomware encrypts files and demands a ransom, affecting diverse organizations and often targeting consumers with relatively low fees (~1 Bitcoin).
  • There are two variants: the first encodes filenames in Base64, generates a victim ID, and changes the background; the second may not encrypt in some cases and drops a ransom note without a victim ID.
  • It has a global reach with samples submitted from the United States, Spain, France, and Turkey, and operators have been linked to another ransomware variant; paying ransom is cautioned against by authorities.

MITRE Techniques

  • [T1583.008] Acquire Infrastructure – Malvertising – Used to gain initial access via malvertising campaigns. ‘Acquire Infrastructure: Malvertising’
  • [T1566] Phishing – Initial Access via phishing emails as described. ‘Phishing’
  • [T1204] User Execution – Trick victims into executing by deceptive updates. ‘User Execution’
  • [T1547.001] Registry Run Keys / Startup Folder – Persistence mechanism referenced in the mapped techniques. ‘Registry Run Keys / Startup Folder’
  • [T1547.001] Registry Run Keys / Startup Folder – Privilege Escalation via startup keys. ‘Registry Run Keys / Startup Folder’
  • [T1027] Obfuscated Files or Information – Defense Evasion through obfuscation. ‘Obfuscated Files or Information’
  • [T1027.002] Software Packing – Defense Evasion via packing. ‘Software Packing’
  • [T1036] Masquerading – Defense Evasion via masquerading. ‘Masquerading’
  • [T1070.004] File Deletion – Impact through file deletion. ‘File Deletion’
  • [T1140] Deobfuscate/Decode Files or Information – Defense Evasion/decryption of payloads. ‘Deobfuscate/Decode Files or Information’
  • [T1497] Virtualization/Sandbox Evasion – Evasion to avoid analysis. ‘Virtualization/Sandbox Evasion’
  • [T1562.001] Disable or Modify Tools – Defense Evasion by disabling/removing tools. ‘Disable or Modify Tools’
  • [T1564.003] Hidden Window – User interface evasion. ‘Hidden Window’
  • [T1012] Query Registry – Discovery aspect of registry interrogation. ‘Query Registry’
  • [T1018] Remote System Discovery – Discovery of remote hosts. ‘Remote System Discovery’
  • [T1033] System Owner/User Discovery – Discovery of user/owner information. ‘System Owner/User Discovery’
  • [T1082] System Information Discovery – Discovery of system information. ‘System Information Discovery’
  • [T1083] File and Directory Discovery – Discovery of files/directories. ‘File and Directory Discovery’
  • [T1087] Account Discovery – Discovery of accounts. ‘Account Discovery’
  • [T1497] Virtualization/Sandbox Evasion – Reiterated evasion technique. ‘Virtualization/Sandbox Evasion’
  • [T1490] Inhibit System Recovery – Impact by impairing recovery. ‘Inhibit System Recovery’
  • [T1486] Data Encrypted for Impact – Impact by encryption of data. ‘Data Encrypted for Impact’

Indicators of Compromise

  • [SHA256] Big Head ransomware samples – ff900b9224fde97889d37b81855a976cddf64be50af280e04ce53c587d978840, f6a2ec226c84762458d53f5536f0a19e34b2a9b03d574ae78e89098af20bcaa3 and other hashes
  • [Email] Contact address – poop69news@gmail[.]com
  • [URL] Telegram contact – https[:]//t[.]me/dme69, https[:]//t[.]me/temon_69
  • [URL] GitHub reference – https[:]//github[.]com/temon_69
  • [Domain] icanhazip – icanhazip domain used in communications
  • [IP] 104.86.182[.]43:443, 118.215.185[.]110:443, and other IPs
  • [IP] 13.107.21[.]200:80
  • [IP] 192.168.0[.]1:137

Read more: https://socradar.io/dark-web-profile-big-head-ransomware/