Cyber Society

The malware appears to be spreading through malvertising campaigns that promote fake Windows updates and Microsoft Word installers. Cybersecurity companies Fortinet and Trend Micro have examined samples of the ransomware and found that it consists of a .NET binary that installs encrypted files on the victim's system. The malware executes various actions, such as creating a registry autorun key, overwriting files, and disabling the Task Manager. Big Head assigns a unique ID to each victim and proceeds to encrypt files while appending a ".poop" extension to their filenames. It also terminates specific processes to prevent interference with the encryption process. The ransomware skips certain directories to avoid rendering the system unusable, and it checks if it is running on a virtual machine and the system language before proceeding with encryption. During the encryption process, the ransomware displays a fake Windows update screen to deceive the victim. Trend Micro also identified two additional variants of Big Head. The second variant incorporates data stealing capabilities, collecting sensitive information such as browsing history, installed drivers, and capturing screenshots. The third variant includes a file infector known as "Neshta," which inserts malicious code into executables on the compromised system, potentially to evade signature-based detection mechanisms. While Big Head is not considered a sophisticated ransomware strain, it targets consumers who may be easily deceived by simple tricks like fake Windows updates. The multiple variants of Big Head suggest that the threat actors behind it are continuously developing and refining the malware, experimenting with different approaches to optimize their attacks.

This image was taken from bleepingcomputer.com’s article on Big Head and the content was based off of trendmicro.com’s article of Big Head.