4 min Security

New ransomware disguises itself as Windows update

New ransomware disguises itself as Windows update

Researchers are on the trail of a new ransomware family called Big Head. The new family is said to be made and spread through one operator, who makes the attack more dangerous over time. Big Head can cause damage to Windows devices.

Cybersecurity researchers have found new ransomware in a fake Windows update and a supposed Microsoft Word installation process. The ransomware in question is Big Head. Fortinet appears to have spotted the family first and released a report on June 16.

Trend Micro supplemented the findings on July 7 with a new variant. Thus, there are currently three known variants of Big Head. According to the experts, the first version of Big Head dates back to May 2023. According to the report, the hacker is still tinkering with the ransomware, in different variants which provide optimization opportunities.

Tip: How ransomware has become cybercrime’s star player

Filters by location

As a user, there are no obvious signs of intrusion before the ransomware spreads. Big Head encrypts files during a legitimate-looking loading screen of a Windows Update. Once the update finalizes, the files and copies are encrypted, and task management is inaccessible. Finally, the user gets a clear signal of the breach via a new wallpaper titled, ‘Big Head ransomware’.

The hacker asks to donate one bitcoin and provides a link to his digital wallet. Furthermore, the victim is given an email address and Telegram account to contact the hacker.

The new ransomware will not impact residents of former member states of the Soviet Union, according to Trend Micro. Therefore, the new threat controls the system language, and the ransomware will not spread to Windows users living in a former Soviet Union member state.

Optimization makes Big Head stronger

A variant of the ransomware also steals data from the infected device. This includes the following data: search history, folders, installed drivers, running processes, the product key, active networks and the ransomware can take screenshots.

The last known variant does more damage to the affected device by injecting malicious code into executable files. Researchers at Trend Micro believe they have discovered its usefulness. They believe the addition of the infected code prevents the ransomware from being detectable.

Unknown attacker

Who the hacker is remains unknown for now. The hacker may reside in a country that was part of the Soviet Union. Trend Micro, in turn, is looking toward Malaysia. In their research, the experts from this cyber security company stumbled upon a YouTube channel that uses the same image seen in the wallpaper of infected devices. The experts found the channel by researching the Telegram account. The YouTube channel operates under the name “aplikasi premium cuma cuma,” which appears to be Malay for ‘premium app for free’.

Of course, the location filter could also be set from pro-Russian thoughts. Since the war between Russia and Ukraine, organizations and governments that support Ukraine have been experiencing increasing cyber threats. The European Investment Bank, for example, has already fallen victim to KillNet. A DDoS attack took this organization’s websites offline. Another well-known collective helping Russia on digital war grounds is LockBit. Last week, the group had a very productive week, snatching corporate information from TSMC and shutting down Japan’s largest port.

Also read: KillNet hits European Investment Bank: who is this hacker group?

Huge damage, if hacker finds entry

Big Head is in fact a threat to all Windows systems. Of course, to make damage, the malware has to get into the system. According to Fortinet, this is done via an e-mail that tells the user to run an important Windows update or poses as the installer for Microsoft Word. Both cases involve executable files. In one variant, the malware can bypass detection tools on the system.

In its analysis, Trend Micro is not very impressed with the malware. “These malware developers left recognizable strings, used predictable encryption methods, or implementing weak or easily detectable evasion techniques, among other “mistakes.” Still, it asks organizations to keep their eyes open. The researchers mainly fear the consequences that the new variants of Big Head can cause.