Windows 10: "Big Head" ransomware fakes Windows Update to trick users

Security researchers at FortiGuard Labs have discovered a new type of ransomware that is targeting home computer users. Dubbed Big Head, the ransomware fakes Windows Update to avoid detection.

The researchers note that there are two main strains of the ransomware and multiple variants. The attack targets Windows users. Upon successful infection, the ransomware will encrypt files on systems that it compromised to demand ransom for file decryption.


source: Fortinet

At least one variant of Big Head disguises itself as an update for Microsoft Windows. Once executed, it displays a "Configuring critical Windows Updates" screen to the user that fakes legitimacy.

Fortinet notes that this fake update screen lasts for about 30 seconds and counts to 100% in the process. It closes automatically after the ransomware has encrypted a sizeable number of files on the user system. The file names are modified randomly according to the researchers.

A ransom note is opened, which begins with README_ followed by a random seven digits number. The creator of the ransomware asks the user to establish contact via email or Telegram to pay a ransom and regain access to the encrypted files using file decryption instructions.

Researchers at Trend Micro provide additional technical details on the Big Head ransomware family. The ransomware drops three executable files on the attacked machine, 1.exe, archive.exe and Xarch.exe, which serve different purposes.

1.exe, for example, creates an autorun Registry key so that it is executed on every startup of the system. It hides the console window furthermore and creates a copy of itself, which it saves as discord.exe to the <%localappdata%> folder.

The file will also drop the ransomware note, may change the wallpaper on the victim's machine and may open the operator's Telegram account in a browser.

Trend Micro noted that the malware is terminating a number of processes upon execution, including Task Manager and more.

Like many other ransomware strains, Big Head is targeting specific locales only. These include Germany, the United States, Italy, France, Belgium, Spain, Sweden, Turkey and dozens of other countries.

It is unclear at this point how the ransomware is distributed. The researchers found one variant with a Word icon, which could indicate distribution as a fake application.

The clear focus of the ransomware are home users and not organizations. The use of a fake Windows Update screen is a clear indicator for this.

The researchers note that Big Head is not widespread at this point. Some antivirus and security solutions protect devices against Big Head attacks already. Fortinet and Trend Micro security applications detect and block the ransomware on user machines already.

Thank you for being a Ghacks reader. The post "Big Head" ransomware fakes Windows Update to trick users appeared first on gHacks Technology News.

read more...

 

.DOCM Ransomware

Some more helpful links....

• ID Ransomware
• https://support.emsisoft.com/topic/29386-first-steps-when-dealing-with-ransomware/
• How to remove ransomware the right way: A step-by-step guide (Updated for 2019)
  

 

Say goodbye to ransomware with Windows 10 Fall Creators Update

Yes, ransomware will be a thing of the past with Windows 10 Fall Creators Update thanks to something called "Controlled Folder Access" in Windows Defender.

Windows 10 will hide your important files from ransomware soon | The Verge

These are protections for your files against ransomware at the kernel and Windows Defender level. Rest easy, your files are safe.

About damn time Microsoft!

 

Synology Urges Users to Update as Ransomware Affects Older DSM Versions

Synology has been investigating and working with users affected by a recent ransomware called "SynoLocker." Synology has confirmed the ransomware affects Synology NAS servers running older versions of DiskStation Manager, by exploiting a vulnerability that was fixed in December, 2013, at which time Synology released patched software and notified users to update via various channels.

Affected users may encounter the following symptoms:

• When attempting to log in to DSM, a screen appears informing users that data has been encrypted and a fee is required to unlock data.
• Abnormally high CPU usage or a running process called "synosync" (which can be checked at Main Menu > Resource Monitor).
• DSM 4.3-3810 or earlier; DSM 4.2-3236 or earlier; DSM 4.1-2851 or earlier; DSM 4.0-2257 or earlier is installed, but the system says no updates are available at Control Panel > DSM Update.

For users who have encountered the above symptoms, please shutdown the system immediately to avoid more files from being encrypted and contact our technical support here. However, Synology is unable to decrypt files that have already been encrypted.
For other users who have not encountered the above symptoms, Synology strongly recommend downloading and installing DSM 5.0, or any version below:

• DSM 4.3-3827 or later
• DSM 4.2-3243 or later
• DSM 4.0-2259 or later
• DSM 3.x or earlier is not affected

Users can manually download the latest version from our Download Center and install it at Control Panel > DSM Update > Manual DSM Update.
Synology sincerely apologizes for any problems or inconvenience this issue has caused our users. As cybercrime proliferates and increasingly sophisticated malware evolves, Synology continues to devote resources to mitigate threats and is dedicated to providing users with reliable solutions.