Ransomware looks like it is not going away anytime soon; 66% of companies reported a ransomware incident in 2022, according to Sophos's 2023 State of Ransomware report. With ransom demands doubling over the same period, this financially successful cyberattack will line the pockets of the cybercriminals perpetrating it - anything so lucrative is bound to continue and perhaps even worsen. Ransomware impacts companies across all sectors and all sizes; innovation in attack tactics and malware code means vigilance is critical. Here, TitanHQ looks at a new ransomware variant known as 'Big Head' and how it could affect your organization.
What is Big Head Ransomware?
Big Head is a new variant of ransomware. Big Head was discovered by Fortinet, who identified it as targeting consumers to extort money. Big Head ransomware is designed to affect Microsoft Windows users, encrypting files as part of the infection. Once infected, a ransom note is displayed demanding payment of BTC to decrypt the files (at the time of writing, the price of 1 bitcoin was around $30,000).
Current research shows at least two versions of Big Head, targeting consumers using the Windows operating system. Faking a Windows update is part of the delivery strategy of the ransomware. As a malicious software package, Big Head is complex, with the two variants using slightly different methods of infection and control:
Variant A uses a fake Windows update to trick users into executing the ransomware. The next step is the files' encryption and the ransom note's display.
Variant B uses a PowerShell file named "cry.ps1" for file encryption, although the researchers did not experience file encryption when testing this variant. The variant did, however, display a ransom note on the screen.
Trend Micro has identified a possible third variant that uses a file infector called Neshta.
Big Mouth variants use a sophisticated encryption pathway, but the ransomware also has the potential to exfiltrate data.
Like other ransomware, Big Head performs cross-check exercises to ensure success; these include backup deletion and checks to determine if the ransomware is running in a virtual environment before file encryption commences. Notably, the ransomware disables Task Manager to stop users from aborting the process.
How is Big Head Delivered?
The delivery mechanisms of ransomware are one of the focal areas of innovation in manipulating targets. Ransomware delivery is well-known for using phishing and social engineering to initiate a chain of infection. Research from IBM has found that the following methods are commonly used to deliver ransomware:
- Phishing or social engineering (45%)
- Insecure or spoofed websites (22%)
- Social media (19%)
- Malvertisements (13%)
Fortinet has said that Big Head is not thought to be widespread. However, the delivery mechanism should be a warning signal of a sophisticated attack.
Big Head enters a computer as a fake Windows update. How this update is delivered suggests tactics such as malvertising and phishing are used.
Malvertising is where an advert on a legitimate site is infected with malicious code that redirects the user to an infected web server containing an exploit kit. Once the connection to the web server is made, the exploit kit will locate any vulnerabilities on the user's machine to run malicious code.
Alternatively, Big Head initiation could be a cleverly spoofed Microsoft update email. The email will likely have a button to install an update, which, when clicked, will begin a process to run the fake Windows update.
Big Head is targeting consumers initially. However, with remote working and workers using personal devices for work, an infection could also impact an organization.
What Stops Big Head Ransomware?
Like all malicious software, Big Head ransomware is best stopped at the source, i.e., before it gets the chance to infect a computer. Layers of security are the most effective way to stop ransomware from infecting your machines. Using layers of protection will prevent users from malvertising exploitation and stop phishing from entering the network. Additional administrative measures such as patching vulnerabilities are essential to securing against ransomware like Big Head. To stop Big Head ransomware and other forms of ransomware, consider deploying the following measures:
DNS Filtering
A DNS filter blocks access to a malicious or inappropriate website. This includes stopping remote employees (and others) from navigating websites containing exploit kits like those used in malvertising. WebTitan is an advanced DNS Filtering solution that utilizes sophisticated AI-driven engines trained using the data from hundreds of millions of end-users. This vast data set helps to train human-supervised Machine Learning algorithms that actively update lists of dangerous URLs, including emerging URLs, to block malicious content in real-time.
Email Security
Phishing is a route into a network that is commonly used to deliver ransomware or initiate a ransomware infection. A cloud-based email security solution like SpamTitan Plus uses multiple layers of protection to detect and prevent phishing. This is an essential layer used to capture insidious attempts to trick employees into performing an action that leads to ransomware infection.
Security Awareness Training
Security awareness training teaches employees about the tricks and methods used by cybercriminals. This training empowers employees with the knowledge to protect themselves and their organization against ransomware infection. Because so many cyber-attackers focus on manipulating, tricking, and socially engineering employees, empowering individuals with the knowledge to recognize a cyber-attack is vital in any organization's cybersecurity strategy. SafeTitan by TitanHQ is a behavior-driven security awareness training platform designed to build a security culture. SafeTitan trains your employees to detect and prevent cyber-attacks. Training incorporates gamified content that is interactive and fun and uses short and efficient testing. Employees are given contextual learning during a training session to solidify training and help them understand their actions' impact. SafeTitan comes with an integrated simulated phishing platform that has been shown to reduce staff susceptibility to phishing by up to 92%.
One crucial aspect of TitanHQ's layered approach to security is the deep integration of the layers across our solutions. Poor interoperability can magnify configuration issues and human error, leading to potential security gaps. Ransomware hackers always look for openings to exploit; close those gaps, and you will protect your organization from this most insidious threat.
Talk to TitanHQ's security team to learn how to protect your employees and organization from Big Head ransomware.