"Big Head" ransomware fakes Windows updates to deceive users: Trend Micro

Security researchers have detected a ransomware, dubbed Big Head that spreads through malvertising and promotes fake Windows updates and Microsoft Word installers. 

While two samples of the malware have been analyzed in June by cybersecurity company Fortinet, who looked at the infection vector and how the malware executes, a report published by cybersecurity firm Trend Micro claimed in a blog on Saturday that both variants and a third one they sampled originate from a single operator who is likely experimenting with different approaches to optimize their attacks.

According to Trend Micro researchers ‘Big Head’ ransomware is a .NET binary that installs three Advanced Encryption Standard (AES)-encrypted files on the target system. AES Crypt is file encryption software available on several operating systems that uses the industry standard AES to easily and securely encrypt files.

The first one is used to propagate the malware, another is for Telegram bot communication, and the third encrypts files and can also show the user a fake Windows update.

“If the victim falls for the trap and that message is ignored, a screen will appear for 30 seconds of a fake update until it reaches 100%. But really what he is doing is encrypting the system files. Once it finishes, it closes and it is no longer possible to access the files, at least not the ones it has encrypted,” the researchers said.

During the encryption, the ransomware displays a screen that purports to be a legitimate Windows update. After the encryption process completes, the ransom is dropped on multiple directories, and the victim’s wallpaper is also changed to alert of the infection.
As it happens in any ransomware attack, the attackers will demand a ransom to decrypt those files. The victim would have to pay money to get back data and information they have blocked and not lose the documents, the security firm said.

To be sure, Big Head is just one of the ransomware strains that has hit the cyber space. Supply chain attacks, double extortion and ransomware-as-a-service (RaaS) are some of the ransomware trends that plagued the entire 2022 and will continue to disrupt businesses in 2023 and beyond, said researchers. Since the beginning of the year, the most disruptive ransomware attacks have been at the hands of five groups – LockBit, BlackCat, Royal, Vice Society, and Medusa.

According to technology firm Verizon’s Data Breach Investigations Report 2023, released in June, the cost per ransomware incident doubled over the past two years.

“We have noticed the doubling of the cost of ransomware incidents in the last two years. The median loss more than doubled from last year to $26,000, with 95% of incidents costing between $1 and $2.25 million. We see this in India, where similar attacks have increased across all industries, with the human element being a major factor,” Anshuman Sharma, Associate Director CSIRT & Investigative Response, APJ, Verizon Business, told Tech Circle on a June 6 report.

Further, another research report by cyber information security firm CyberArk published last month, said that at least 91% of Indian organisations were targeted by ransomware attacks in 2022, and nearly 61% of security professionals anticipate that their organisation will be impacted by AI-enabled threats in the coming months.