Disclosures:
Professional Reviews

The reviews found on GuideHaven consist of evaluations conducted by community reviewers. These assessments take into account the reviewers’ unbiased and knowledgeable analysis of the products and services being reviewed.

Ownership

GuideHaven is a leading cybersecurity review website with a team of experts experienced in testing and evaluating VPNs, antiviruses, password managers, parental controls, and software tools. Our reviews are available in 29 languages, making them accessible to a broad audience since 2018. To further support our readers in their pursuit of online security, we’ve partnered with Kape Technologies PLC, which owns popular products like ExpressVPN, CyberGhost, ZenMate, Private Internet Access, and Intego, all of which may be reviewed on our website.

Affiliate Commissions

GuideHaven contains reviews that follow the strict reviewing standards, including ethical standards, that we have adopted. Such standards require that each review will take into consideration the independent, honest, and professional examination of the reviewer. That being said, we may earn a commission when a user completes an action using our links, at no additional cost to them. On listicle pages, we rank vendors based on a system that prioritizes the reviewer’s examination of each service, but also considers feedback received from our readers and our commercial agreements with providers.

Review Guidelines

The reviews published on GuideHaven are written by community reviewers that examine the products according to our strict reviewing standards. Such standards ensure that each review prioritizes the independent, professional, and honest examination of the reviewer, and takes into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings we publish may also take into consideration the affiliate commissions we earn for purchases through links on our website.

News Heading

Big Head: New Ransomware Targeting Widows Users With Fake Updates and Installers

Shipra Sanganeria
Published by Shipra Sanganeria on July 12, 2024

A new ransomware strain was recently discovered by security researchers and is said to be distributed through a malvertising campaign which promotes fake Windows updates and Microsoft Word installers.

The ransomware dubbed ‘’Big Head’’ was first discovered by security researchers at FortiGuard Labs and later Trend Micro published a report in which it claimed that both the previously identified variants as well as a third variant was the work of a single threat actor.

The ransomware which features .Net binary has the ability to deploy AES-encrypted files on the victim’s system: first one (1.exe) is used to propagate the malware, second one (archive.exe) is used to communicate with the threat actor’s Telegram channel and third one (Xarch.exe) displays a bogus Windows update.

Similar to other ransomware, it performs several checks and inspections to decide whether to execute or self-terminate. Before executing file encryption, the ransomware checks if its running in a virtual environment, deletes recovery backup, terminates processes, and avoids directories that can expose its presence.

Moreover, the malware’s capability includes disabling the Task Manager to prevent the victim from terminating or investigating its activities. It also uses its self-terminating techniques is the user’s machine language matches the country code of Russian, Belarusian, Ukrainian, Kazakh, Kyrgyz, Armenian, Georgian, Tatar, and Uzbek.

Two more variants of Big Head were identified by Trend Micro. The second Big Head variant has both ransomware and info-stealer capabilities. It exfiltrates various sensitive data from the user’s system including product keys, list of directories and running processes, browsing history, operating network, and helps capture screenshots.

The third variant includes a file infector identified as Neshta which infects the target’s machine by inserting a malicious code into executable files. Usage of this technique can disguise the threat as a virus, thus making it difficult for security solutions to detect the ransomware.

The threat actor behind the ransomware remains unknown, however, researchers at Trend Micro speculate it to have Indonesian origins based on the YouTube name which is a phrase in Bahasa. Moreover, the researchers have also issued a security warning keeping in mind the multi-faceted nature of the ransomware.

Did you like this article? Rate it!
 
 
 
 
 
I hated it I don’t really like it It was ok Pretty good! Loved it!
0 Voted by 0 users
Title
Comment
Thanks for your feedback