Close

Request Demo

BUFFERZONE is available to Enterprise companies only. Please fill out the form below and we’ll contact you shortly


    Enterprise

    Protect the enterprise where most breaches occur - at the endpoint

    Virtual Desktops

    VDI is vulnerable to advanced threats just like physical endpoints

    Financial

    Financial organizations need a robust, flexible solution for securing access to the internet, email attachments, and removable storage.

    Blog

    Back

    Big Head Ransomware Fake Windows Update Alert- What Can We Do?

    By BUFFERZONE Team, 11/07/2023

    Target: IT Professionals

    Tags: Malware, Ransomware Zero-Trust

    Ransomware remains a significant cybersecurity concern, posing threats to personal and enterprise data. The Big Head Ransomware is a new entrant into the cyber-crime scene, which surfaced in May 2023. With its unique propagation methods and encryption techniques, Big Head Ransomware is causing ripples in the cybersecurity industry. This blog post aims to illuminate this malware’s operations, variants, and potential consequences and present a simple, cost-effective way to protect your organization.

    Three distinct variants of the Big Head Ransomware have been identified, each featuring the same contact email within their ransom instructions. This strongly suggests a common origin tied to a single malware developer [1]. This ransomware strain is under scrutiny and propagated through deceptive online advertising practices, often in the guise of bogus Windows updates and fraudulent Word installers [1]. By exploiting the naive trust of unsuspecting users, the perpetrator effectively lures victims into downloading and launching harmful software.

    Big Head operates as a .NET binary ransomware. Upon activation, it triggers a sequence of actions, including establishing a registry autorun key, overwriting existing files if necessary, setting system file attributes, and deactivating the Task Manager [1]. For each victim, it generates a unique ID, eradicates shadow copies to impede straightforward system recovery, and encrypts target files, appending a “.poop” extension to the filenames. Unique to Big Head, it deploys three AES-encrypted files, each having a specific function:

    • Propagation: An executable that drops a copy of itself for further spread.
    • Communication: A Telegram bot was created to communicate with the threat actor’s chatbot ID.
    • Deception and Encryption: Another executable file masks itself as a Windows update while it encrypts the user’s files and encodes file names to Base64 [1]

    Moreover, Big Head Ransomware uses a clever evasion technique: it displays a screen mimicking a legitimate Windows update during the encryption process.

    Big Head has three known variants, each exhibiting different behaviors and routines.

    • The first variant employs a .NET compiled binary file, which has a list of configurations related to the installation process, such as creating a registry key, checking the existence of a file, and overwriting it if necessary, setting system file attributes, and creating an autorun registry entry [1].
    • The second variant maintains ransomware capabilities and incorporates stealer behavior with functions to collect and exfiltrate sensitive data from the victim system. The stolen data can include browsing history, a list of directories, installed drivers, running processes, product keys, and active networks, and it can also capture screenshots [2].
    • The third variant identified by Trend Micro introduces a file infector named “Neshta,” which inserts malicious code into executables on the breached system. It is speculated that this could be an attempt to evade detection that relies on signature-based mechanisms [2].

    While Big Head Ransomware’s encryption methods are standard and its evasion techniques are easy to detect, it is important not to underestimate its potential damage. Its deceptive methods, like displaying a fake Windows update screen and disseminating via malvertising, can trick less cybersecurity-savvy individuals. As Big Head Ransomware continues to evolve, the creators are actively experimenting with different approaches to optimize their attacks. Big Head joins the increasing number of new Ransomware malware like Cl0p [3], LockBit [4], and BlackBasta [5] that have gained increasing popularity in the recent few months.

    What can we do?

    Stay vigilant and adhere to basic cybersecurity practices, such as avoiding suspicious links and downloads, updating your software regularly, and maintaining reliable backups to combat such threats.

    A simpler and more effective solution is needed since detection is insufficient, and the human factor may bypass protection paradigms™. This is why we created BUFFERZONE® Safe Workspace™.

    BUFFERZONE Safe Workspace™ is a suite of prevention capabilities based on application isolation technology that includes Safe Browsing, SafeBridge® (Content Disarm and Reconstruction capabilities), and Safe Removable (USB attack prevention), all combined with clipboard security. Safe Workspace™ virtual container is created by a kernel driver, which virtually separates the operating system into two logical zones. The first zone is the trusted zone, which is connected to all the organization’s networks and the operating system’s files. The second zone is called the untrusted zone, which acts as a buffer zone where different applications can securely run isolated from the trusted zone’s memory, files, registry, and processes. This method offers advantages such as low CPU and memory footprint, high quality of experience, and the ability to seamlessly work inside the virtual container without noticing that you are protected from browsing and USB threats. BUFFERZONE® is the only virtual containment solution that works based on six patented technologies.

    By using an advanced isolation solution, the organization’s content is secure. Downloaded attachments are isolated, while antivirus and EDR (Endpoint Detection and Response) solutions can always scan the untrusted virtual zone. The virtual environment can be cleaned in one click, eliminating any malicious traces. Ransomware will not be able to run and attack the endpoint.

    Try it now!

     

    References:

    [1] Bill Toulas, New ‘Big Head’ ransomware displays fake Windows update alert, https://www.bleepingcomputer.com/news/security/new-big-head-ransomware-displays-fake-windows-update-alert/

    [2] Ieriz Nicolle Gonzalez, Katherine Casona, Sarah Pearl Camiling, Tailing Big Head Ransomware’s Variants, Tactics, and Impact,  https://www.trendmicro.com/en_au/research/23/g/tailing-big-head-ransomware-variants-tactics-and-impact.html

    [3] CISA, CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability

    https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a

    [4] CISA, LockBit 3.0, https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a

    [5] Sergiu Gatlan , US govt contractor ABB confirms ransomware attack, data theft,

     

    https://www.bleepingcomputer.com/news/security/us-govt-contractor-abb-confirms-ransomware-attack-data-theft/