New ransomware fakes Windows Update to trick home users

vtqhtr413

vtqhtr413

Level 26
Thread author
Verified
Top Poster
Well-known
Aug 17, 2017
1,492
Content source
https://www.ghacks.net/2023/07/09/big-head-ransomware-fakes-windows-update-to-trick-users/
Security researchers at FortiGuard Labs have discovered a new type of ransomware that is targeting home computer users. Dubbed Big Head, the ransomware fakes Windows Update to avoid detection. The researchers note that there are two main strains of the ransomware and multiple variants. The attack targets Windows users. Upon successful infection, the ransomware will encrypt files on systems that it compromised to demand ransom for file decryption. At least one variant of Big Head disguises itself as an update for Microsoft Windows. Once executed, it displays a "Configuring critical Windows Updates" screen to the user that fakes legitimacy.

Fortinet notes that this fake update screen lasts for about 30 seconds and counts to 100% in the process. It closes automatically after the ransomware has encrypted a sizeable number of files on the user system. The file names are modified randomly according to the researchers. A ransom note is opened, which begins with README_ followed by a random seven digits number. The creator of the ransomware asks the user to establish contact via email or Telegram to pay a ransom and regain access to the encrypted files using file decryption instructions.

Researchers at Trend Micro provide additional technical details on the Big Head ransomware family. The ransomware drops three executable files on the attacked machine, 1.exe, archive.exe and Xarch.exe, which serve different purposes. 1.exe, for example, creates an autorun Registry key so that it is executed on every startup of the system. It hides the console window furthermore and creates a copy of itself, which it saves as discord.exe to the <%localappdata%> folder.
Click to expand...
 
  • Like
  • Wow
  • +Reputation
Reactions: Fel Grossi, upnorth, Dave Russo and 10 others
Jonny Quest

Jonny Quest

Level 16
Verified
Top Poster
Well-known
Mar 2, 2023
794
I was wondering, if we update through Windows itself, from our Windows update, how could this happen? This was in the article:
It is unclear at this point how the ransomware is distributed. The researchers found one variant with a Word icon, which could indicate distribution as a fake application.
 
  • Like
Reactions: Dave Russo, Zero Knowledge, vtqhtr413 and 3 others
upnorth

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
  • Like
  • +Reputation
  • Thanks
Reactions: Bellameee, Dave Russo, silversurfer and 10 others
cruelsister

cruelsister

Level 42
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,148
BigHead is one of the most poorly coded ransomware files that can be found, with some variants even unable to encrypt anything (nice splash screen, though). I'm starting to thing that FortiGuard is more interested in Click-Bait press releases than actually providing analysis of more relevant (and nastier) stuff.
 
  • Like
  • Thanks
Reactions: kylprq, ErzCrz, simmerskool and 2 others
You must log in or register to reply here.

Similar threads

Shadowra
    • +Reputation
    • Like
Malware News StopCrypt: Most widely distributed ransomware evolves to evade detection
Replies
3
Views
997
Security News
Victor M
Victor M
Gandalf_The_Grey
    • +Reputation
    • Like
Meet NoEscape: Avaddon ransomware gang's likely successor
Replies
0
Views
855
News Archive
Gandalf_The_Grey
Gandalf_The_Grey
Gandalf_The_Grey
    • +Reputation
    • Like
Free Key Group ransomware decryptor helps victims recover data
Replies
0
Views
980
News Archive
Gandalf_The_Grey
Gandalf_The_Grey

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top