Last month, security researchers at FortiGuard Labs, the security research organization of Fortinet, published its findings regarding a ransomware variant that was infecting devices by disguising itself as critical Windows updates.
The image below shows the fake Windows Update screen that this ransomware, dubbed "Big Head", displays when it is essentially encrypting files in the background all while the user waits for their PC to complete the supposed Windows update. The process takes around 30 seconds.
The one mentioned above is the first variant of the ransomware, known as Variant A. There is also another variant called Variant B, which uses a PowerShell file named “cry.ps1” for file encryption on compromised systems.
Fortinet says it is able to detect and protect against the following Big Head variant signatures:
FortiGuard Labs detects known Big Head ransomware variants with the following AV signatures:
- MSIL/Fantom.R!tr.ransom
- MSIL/Agent.FOV!tr
- MSIL/Kryptik.AGXL!tr
- MSIL/ClipBanker.MZ!tr.ransom
Following that, Trend Micro published its own research and findings about Big Head a couple of days ago, uncovering more details about the malware. The firm found that the ransomware also checks for virtualized environments like Virtual Box or VMware, among others, and even goes on to delete Volume Shadow Copy Service (VSS) backups, which makes it quite frightening.
Trend Micro explains:
The ransomware checks for strings like VBOX, Virtual, or VMware in the disk enumeration registry to determine whether the system is operating within a virtual environment. It also scans for processes that contain the following substring: VBox, prl_(parallel’s desktop), srvc.exe, vmtoolsd.
The malware identifies specific process names associated with virtualization software to determine if the system is running in a virtualized environment, allowing it to adjust its actions accordingly for better success or evasion. It can also proceed to delete recovery backup available by using the following command line:
vssadmin delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
Trend Micro also analyzed a couple more samples other than the one above. The three samples and their characteristics have been summarized below:
The first sample incorporates a backdoor in its infection chain.
The second sample employs a trojan spy and/or info stealer.
The third sample utilizes a file infector.
You can find more technical details as well as IOCs (Indicators of Compromise) of Big Head on Fortinet"s and Trend Micro"s websites linked at the sources below.
Source: Fortinet via Trend Micro