Threat Research

Ransomware Roundup – Big Head | FortiGuard Labs

Securonix

FortiGuard Labs reports on two Big Head ransomware variants targeting Windows consumers, focusing on file encryption and ransom extortion. The campaign employs deception (fake Windows Update and counterfeit software), a PowerShell-based approach in one variant, ransom notes and wallpaper changes, and notes the attacker’s contact channels and a related variant activity. Hashtags: #BigHeadRansomware #FortiGuardLabs

Keypoints

  • FortiGuard Labs identified two Big Head ransomware variants (A and B) aimed at encrypting files on consumer Windows systems.
  • Infection vectors include a fake Windows Update screen and counterfeit software distribution, indicating masquerading as legitimate updates or apps.
  • Variant B uses a PowerShell script named “cry.ps1” for file encryption, though encryption may not occur in every case.
  • Ransom notes appear as “README_[random seven digits]” and wallpaper changes; notes direct victims to contact the attacker via email or Telegram, with a Bitcoin option in some notes.
  • Victimology shows most samples from the United States, with related activity from Spain, France, and Turkey.
  • Fortinet protections include AV signatures and FortiEDR; best practices emphasize up-to-date signatures and user phishing awareness training.
  • The attacker appears to have used related ransomware variants, sharing the same email address and contact methods, and attempting to monetize via Bitcoin.

MITRE Techniques

  • [T1036] Masquerading – Displays a fake Windows Update to masquerade as legitimate software and trick users. ‘One Big Head ransomware variant displays a fake Windows Update, potentially indicating that the ransomware was also distributed as a fake Windows Update.’
  • [T1486] Data Encrypted for Impact – Encrypts files on compromised machines with file names randomly altered. “encrypts files on compromised machines with file names randomly altered.”
  • [T1059.001] PowerShell – Variant B uses a PowerShell file named “cry.ps1” for file encryption. “uses a PowerShell file named “cry.ps1” for file encryption.”

Indicators of Compromise

  • [File hash] context – Big Head ransomware IOCs: 2a36d1be9330a77f0bc0f7fdc0e903ddd99fcee0b9c93cb69d2f0773f0afd254, 39caec2f2e9fda6e6a7ce8f22e29e1c77c8f1b4bde80c91f6f78cc819f031756, and 9 more hashes
  • [Email address] context – poop69new@[redacted]
  • [File name] context – README_[random seven digits]

Read more: https://www.fortinet.com/blog/threat-research/fortiguard-labs-ransomware-roundup-big-head

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint