Big Head Ransomware Infects Victims via Bogus Windows Updates


July 11, 2023

World map

A recently documented ransomware family with multiple variants dubbed “Big Head” has been infecting victims through a malvertising campaign using a fake Microsoft Windows update.

Analysis revealed the ransomware campaign deploys at least three unique encrypted binaries to propagate the malicious code on the network, to facilitate command and control (C2) communications on the Telegram platform, and to encrypt the victim’s files.

Big Head Ransomware is also capable of advanced security evasion and deception techniques, masking the threat as non-ransomware to throw off response actions.

“Big Head is no different from other ransomware families in that it deletes backups, terminates several processes, and performs checks to determine if it's running within a virtualized environment before proceeding to encrypt the files,” The Hacker News reports.

“In addition, the malware disables the Task Manager to prevent users from terminating or investigating its process and aborts itself if the machine's language matches that of Russian, Belarusian, Ukrainian, Kazakh, Kyrgyz, Armenian, Georgian, Tatar, and Uzbek. It also incorporates a self-delete function to erase its presence.”

Takeaway: Today’s ransomware attacks employ techniques that are far advanced from the ransomware campaigns of even just a year or two ago.  

Ransomware is big business, with revenues in the billions of dollars. The attackers are taking a significant amount of those ill-gotten gains and reinvesting them by hiring really talented developers who are constantly finding new ways to infect victims, evade detection, exfiltrate more sensitive data, and encrypt more files faster.

Attackers are automating scans that search for vulnerable applications to exploit as we have seen in the massive Cl0p campaigns targeting the MoveIT and GoAnywhere software bugs, they are creating bespoke tools for more efficient collection and exfiltration of victim data and building out their RaaS platform services to smooth the negotiation and ransom payment process.

We have also seen an increasing level of overlap between what were previously state-sponsored APT tactics and techniques and those of cybercriminal ransomware attackers, including leveraging zero-day exploits and advanced methodologies like DLL side-loading.

Ransomware is one of the most significant threats to business, government, education, healthcare, manufacturing and just about every other industry vertical today.  

The development of Linux versions by many of the most prevalent RaaS providers is particularly concerning, as Linux systems tend to run some of the most important networks, including those running our critical infrastructure.

Organizations need to assume they will be the victim of a ransomware attack and focus on implementing a ransomware resilience strategy to have contingencies in place to recover as quickly as possible. This includes endpoint protection solutions, patch management, data backups, access controls, staff awareness training, and organizational procedure and resilience testing to be successful.  

Organizations need to run regular tabletop exercises and ensure all stakeholders are ready and available to respond to an attack at all times. A determined attacker with enough time and resources is going to find a way around security controls. Planning to be resilient in the aftermath of a successful ransomware attack is the best advice. is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.