New Big Head ransomware displays Windows Update screen

According to a report dated 10 July 2023, researchers have discovered a new family of ransomware that spreads by promoting fake Windows and Microsoft Word updates. The ransomware has been named "Big Head".

In June, an article was published on two samples of Big Head. At that time, experts analysed the malware's penetration vectors and tried to understand how exactly the ransomware was launched.

Essentially, Big Head is a .NET binary that installs three AES encrypted files on the targeted system. One of these is used to distribute the final malware, another is used to interact with the Telegram bot, and the third encrypts files and can also display fake Windows updates to the user.

As soon as it is launched, the ransomware creates an auto-run key in the registry, overwrites existing files, modifies system file attributes and disables Windows Task Manager.

Each victim is assigned a unique identifier, which is either taken from the %appdata%\ID directory or generated using a 40-character random string. Like all modern ransomware, "big head" deletes shadow copies before actually attacking the files. A ".poop" extension is added to each affected file.

When encryption is complete, a ransom note is dropped on the device. The screen background of the attacked system also changes, informing the user of the infection.

Read more about it: here