Dark Web Ransomware The Rise of Big Head Ransomware


While prominent ransomware groups like ALPHV and Lockbit 3.0 make headlines with their high-profile attacks on big companies, there are lesser-known actors operating on the dark web who use less sophisticated methods. One such group is Big Head Ransomware, which has emerged as a new player in the cyber threat landscape since May 2023. In this article, we will explore the origins, tactics, and impact of Big Head Ransomware.

Who is Big Head Ransomware?

Big Head Ransomware is not a single entity but rather a collection of multiple variants, each with its own unique characteristics and capabilities. The threat actor behind Big Head Ransomware remains elusive, with only limited information available about them. It is believed that the actor operates from an Indonesian-speaking country, although this has not been confirmed.

How Does Big Head Ransomware Attack?

Big Head Ransomware employs deceptive techniques to infiltrate systems and carry out its malicious activities. One of its notable methods is using fake Windows updates and counterfeit Microsoft Word installers. These tactics trick users into executing the ransomware, mistakenly thinking they are performing legitimate software updates or installations.

During the encryption process, Big Head Ransomware displays a screen that appears to be a genuine Windows update, further deceiving the victim. This allows the ransomware to complete its encryption process without interruption.

The ransomware gains initial access to systems through malvertising campaigns, phishing emails, malicious attachments, or compromised websites. It utilises various tools, including Mimikatz, PsExec, Cobalt Strike, and Empire PowerShell, to carry out its operations.

The impact of Big Head Ransomware is significant, as it encrypts files on the victim’s system and demands a ransom for decryption. It has caused disruptions and financial losses for numerous organisations.

Variants of Big Head Ransomware

There are two known variants of Big Head Ransomware, each with its own distinctive features:

Variant 1:

  • Displays a fake Windows update screen
  • Encodes filenames using Base64
  • Generates a unique victim ID in the ransom note
  • Changes the background after successful execution

Variant 2:

  • Does not encrypt files in some cases
  • Drops a ransom note without generating a victim ID or unique value
  • Changes the background after successful execution

Targets of Big Head Ransomware


Big Head Ransomware targets a wide range of sectors, with a particular focus on consumers rather than enterprises. The ransom fee demanded is typically around one Bitcoin, indicating a preference for individual victims.


While Big Head Ransomware has a global reach, most of the samples submitted were from the United States. Submissions from Spain, France, and Turkey suggest that these regions have also been affected by the ransomware.

Specific Victims:

Big Head Ransomware does not specifically target individuals or organisations but takes advantage of general users’ lack of awareness and vigilance. By masquerading as a fake Windows Update or counterfeit software, it tricks users into executing the ransomware and encrypting their files.

Is Big Head Ransomware Successful?

A check of the Bitcoin wallet provided in the ransom note reveals that only four transactions were made in 2022. This suggests that the success rate of Big Head Ransomware may be relatively low, despite its global reach and deceptive tactics.


Big Head Ransomware is a growing cybersecurity concern that targets consumers globally. Its deceptive tactics, such as posing as a fake Windows Update, make it a particularly dangerous threat. Despite its relatively low ransom fee, the damage it can cause to individuals and their data is significant.

The stealthy operations and geographical spread of Big Head Ransomware indicate that it is an evolving threat. The attacker’s possible involvement in other illicit activities further highlights the need for robust cybersecurity measures.

Organisations and individuals affected by ransomware attacks are advised against paying the ransom, as there is no guarantee that files will be recovered. Ransom payments may also encourage further attacks and fund criminal activities.

In conclusion, Big Head Ransomware requires comprehensive and proactive measures to mitigate its impact. Its global reach, deceptive tactics, and evolving nature make it a formidable threat that should not be underestimated.

This website uses cookies. By continuing to use this site, you accept our use of cookies.  Learn more