View All R&D Articles

Big Head Ransomware: Fake Windows Update Leads to Data Loss

July 11, 2023

Fortinet FortiGuard Labs has identified a new piece of ransomware that encrypts files while presenting fake Microsoft Windows updates and Word installers.

The ransomware, nicknamed “Big Head,” is likely distributed via phishing. Victims are tricked into downloading an update for Windows or Microsoft Office, which presents a “configuring updates” screen for about 30 seconds as the ransomware deploys. 

But instead of updating software, the ransomware encrypts files, checks for (and destroys) virtual backups, and opens a ransom note. 

Big Head has two variants, and the ransom note differs slightly for each. Here’s a sample ransom:

Hell O![sic] All your files have been encrypted BIGHEAD RANSOMWARE
Your personal ID: [Number]
To decrypt your files you need to write to email: poop69new@[email domain]I
n the letter, send your personal Id. 
Do not try restore files without our help, this is useless, and can destroy you data permanetly.

Generally, the ransomware demands 1 bitcoin as payment (currently, around $30,500). However, Big Head is not widespread — and the quick development of a secondary variant indicates that the group is working to refine its methods. 

Big Head targets computer users in the United States, France, Spain, and Turkey.

Per HackerNews, the malware does not complete the encryption process if the user’s machine has a default language matching one of the following: Russian, Belarusian, Ukrainian, Kazakh, Kyrgyz, Armenian, Georgian, Tatar, and Uzbek.

This would indicate that the hacker group is based in a Russian-affiliated state — which would almost certainly make ransom payments illegal for victims based in the United States. The U.S. Office of Foreign Assets Control (OFAC) restricts payments to certain foreign entities and may impose civil penalties for payments that violate the  Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments.

Read more about why paying for ransomware is often illegal. 

If you’re infected by Big Head ransomware, take immediate action.

Disconnect the infected machine from your network. Do not pay the ransom. As discussed above, ransom payments are illegal in many circumstances, and they’re not a reliable recovery method — decryption tools supplied by malicious actors may cause file corruption, and bad actors have no incentive to address data loss.

At, we’re researching potential solutions for Big Head ransomware infections. The malware uses AES and SHA256 algorithms to encrypt files, which are relatively conventional; however, the malware exfiltrates user data, which creates a severe risk of data leakage.

Our ransomware experts can help you form a disaster recovery plan and prevent future attacks from impacting your systems. To learn more, call 1-800-237-4200 to speak with a ransomware specialist or submit a request online.