October 3, 2023

Researchers have came across a new ransomware variant called Big Head, which came out in May 2023. Although there are at least three variants of Big Head ransomware, all are designed to encrypt files on victims’ machines to extort money, like other ransomware variants.

One big head ransomware variant displays a fake Windows Update, potentially indicating that the ransomware was also distributed as a fake Windows Update. One of the variants has a Microsoft Word icon and was likely distributed as counterfeit software. The last variant implants malware during its infection campaign

Variant A

Once Big Head ransomware variant A is executed, it displays a fake Windows Update screen to trick users into believing that legitimate actions are occurring behind the scenes.

Screenshot of Figure 1. Fake Windows Update screen shown by the Big Head ransomware variant A

The fake Windows Update lasts about 30 seconds and automatically closes. By the time the ransomware has already encrypted files on compromised machines with file names randomly altered.

The malware terminates itself if the user’s system language matches the Russian, Belarusian, Ukrainian, Kazakh, Kyrgyz, Armenian, Georgian, Tatar, and Uzbek country codes. The malware also disables the task manager to prevent users from terminating or investigating its process


The ransomware then opens a ransom note labeled “README_[random seven digits number] that demands victims contact the attacker via email or telegram for file decryption and data leak.

Screenshot of Figure 3. Ransom note left by the Big Head ransomware variant A

Big Head ransomware variant A has also been seen to leave a slightly different version of the ransom note, including the attacker’s Bitcoin address for “immediate ransom payment.”

Variant B

Big Head ransomware variant B did not encrypt any files in our test environment. It is designed to encrypt files on compromised machines. This variant uses a PowerShell file named “cry.ps1” for file encryption. The variant B does not drop cry.ps1 in some cases, and file encryption does not occur. However, it does not stop variant B from replacing the Desktop wallpaper with its own containing ransom note.

Like variant A, the ransom note requests that victims contact the attacker using the same email address or telegram channel. The difference is that a  ransom fee of one Bitcoin is included in the variant B ransom note. The relatively low ransom fee indicates that Big Head ransomware is used to target consumers rather than enterprises.


The attacker’s Bitcoin wallet recorded two transactions: one in December 2022 for $313.93, the other in August of the same year for $70.07. Since the Big Head ransomware came out in May 2023, those transactions do not appear to be related to the ransomware variant.

Variant C

On analysis of the third sample includes a file infector we identified as Neshta in its chain.


Neshta is a virus designed to infect and insert its malicious code into executable files. This malware also has a characteristic behavior of dropping a file called directx.sys, which contains the full path name of the infected file that was last executed. This behavior is not commonly observed in most types of malware, as they typically do not store such specific information in their dropped files.


Using Neshta into ransomware deployment can also serve as a technique for the final Big Head ransomware payload. This technique can make the piece of malware appear as a different type of threat, such as a virus, which can divert the prioritization of security solutions that primarily focus on detecting ransomware.

The ransom note and wallpaper associated with this binary are different from the ones previously mentioned.


The Big Head ransomware exhibits unique behaviors during the encryption process, such as displaying the Windows update screen as it encrypts files to deceive users and effectively locking them out of their machines, renaming the encrypted files using Base64 encoding to provide an extra layer of obfuscation, and as a whole making it more challenging for users to identify the original file names and types of encrypted files. We also noted the following significant distinctions among the three versions of the Big Head ransomware:

  • The first sample incorporates a backdoor in its infection chain.
  • The second sample employs a trojan spy and/or info stealer.
  • The third sample utilizes a file infector. 

The ransom note indicates that the malware developer utilizes both email and Telegram for communication with their victims.


Most of the Big Head ransomware samples were submitted from the United States. Another ransomware used by the same attacker was submitted from the United States, Spain, France, and Turkey. 

This research was documented by researchers from FortiGuard labs and Trend Micro

Indicators of Compromise

  • 2a36d1be9330a77f0bc0f7fdc0e903ddd99fcee0b9c93cb69d2f0773f0afd254
  • 39caec2f2e9fda6e6a7ce8f22e29e1c77c8f1b4bde80c91f6f78cc819f031756
  • 40e5050b894cb70c93260645bf9804f50580050eb131e24f30cb91eec9ad1a6e
  • 64246b9455d76a094376b04a2584d16771cd6164db72287492078719a0c749ab
  • 6d27c1b457a34ce9edfb4060d9e04eb44d021a7b03223ee72ca569c8c4215438
  • 9c1c527a826d16419009a1b7797ed20990b9a04344da9c32deea00378a6eeee2
  • ae927feae84239c7f56a2c49aadb02dc318ef4be2860353b6a2428bdbbf0ae71
  • bcf8464d042171d7ecaada848b5403b6a810a91f7fd8f298b611e94fa7250463
  • dcfa0fca8c1dd710b4f40784d286c39e5d07b87700bdc87a48659c0426ec6cb6
  • 1942aac761bc2e21cf303e987ef2a7740a33c388af28ba57787f10b1804ea38e
  • f59c45b71eb62326d74e83a87f821603bf277465863bfc9c1dcb38a97b0b359d

Leave a Reply

%d bloggers like this: