When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Beware! Big Head ransomware that looks like Windows update can also delete backups

Last month, security researchers at FortiGuard Labs, the security research organization of Fortinet, published its findings regarding a ransomware variant that was infecting devices by disguising itself as critical Windows updates.

The image below shows the fake Windows Update screen that this ransomware, dubbed "Big Head", displays when it is essentially encrypting files in the background all while the user waits for their PC to complete the supposed Windows update. The process takes around 30 seconds.

Fake critical Windows Update page by Big Head ransomware

The one mentioned above is the first variant of the ransomware, known as Variant A. There is also another variant called Variant B, which uses a PowerShell file named “cry.ps1” for file encryption on compromised systems.

Fortinet says it is able to detect and protect against the following Big Head variant signatures:

FortiGuard Labs detects known Big Head ransomware variants with the following AV signatures:

  • MSIL/Fantom.R!tr.ransom
  • MSIL/Agent.FOV!tr
  • MSIL/Kryptik.AGXL!tr
  • MSIL/ClipBanker.MZ!tr.ransom

Following that, Trend Micro published its own research and findings about Big Head a couple of days ago, uncovering more details about the malware. The firm found that the ransomware also checks for virtualized environments like Virtual Box or VMware, among others, and even goes on to delete Volume Shadow Copy Service (VSS) backups, which makes it quite frightening.

Trend Micro explains:

The ransomware checks for strings like VBOX, Virtual, or VMware in the disk enumeration registry to determine whether the system is operating within a virtual environment. It also scans for processes that contain the following substring: VBox, prl_(parallel’s desktop), srvc.exe, vmtoolsd.

The malware identifies specific process names associated with virtualization software to determine if the system is running in a virtualized environment, allowing it to adjust its actions accordingly for better success or evasion. It can also proceed to delete recovery backup available by using the following command line:

vssadmin delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

Trend Micro also analyzed a couple more samples other than the one above. The three samples and their characteristics have been summarized below:

  • The first sample incorporates a backdoor in its infection chain.

  • The second sample employs a trojan spy and/or info stealer.

  • The third sample utilizes a file infector.

You can find more technical details as well as IOCs (Indicators of Compromise) of Big Head on Fortinet's and Trend Micro's websites linked at the sources below.

Source: Fortinet via Trend Micro

Report a problem with article
tp-link wifi extender
Next Article

Get this TP-Link Wi-Fi extender for just $12.99 with digital coupon at Amazon right now

Previous Article

Evernote lays off most of its US workers and will relocate its base of operations to Europe

Join the conversation!

Login or Sign Up to read and post a comment.

8 Comments - Add comment