bigdata

[Content by Gemini 2.5]

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: The malware appends “.bigdata” in lower-case and without a leading dot or additional separator.
  • Renaming Convention:
    Original: Sales_2024_Q1.xlsx
    After infection: Sales_2024_Q1.xlsx.bigdata
    The ransomware preserves the original file name + original extension first, then concatenates “.bigdata”. Nested and long paths are handled in full; the file-tree order is kept, making it easy to spot encrypted content in Windows Explorer.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: First crowdsourced submissions seen 20 March 2021 (uploaded to ID-Ransomware). Public telemetry spiked between 27 March 2021 – 05 April 2021 in Eastern Europe & South-East Asia. Later campaigns resurfaced November 2023, mainly affiliated with the Hive-Spider (formerly “Hive” / “Vice Society”) collective.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. RDP brute-force & initial credential stuffing (port 3389 left exposed via RDP Gateway misconfiguration).
  2. Phishing e-mails containing password-protected ZIP or ISO files weaponised with LNK, HTA or OneNote droppers that load BigDataNet.exe.
  3. Exploitation of public-facing VPN appliances:
    – Ivanti Connect Secure & Policy Secure CVE-2023-46805 / CVE-2024-21887 (2023 wave)
    – Fortinet path-traversal flaw CVE-2022-42475
  4. SMBv1 / EternalBlue fallback (still effective on un-patched legacy 2012 R2 servers).
  5. Living-off-the-land techniques: WMI, PowerShell, PsExec for lateral movement once initial foothold is achieved.

Remediation & Recovery Strategies

1. Prevention

  • Baseline measures
    – Disable NetBIOS/SMBv1 across all Windows machines; enable SMB Signing & Encryption.
    – Mandatory MFA for all VPN, RDP and privileged SMB logins.
    – Segmentation: place jump-hosts between RDP-bastion and internal VLANs; block port 3389 at the edge FW.
    – E-mail gateways: strip password-protected archives; sandbox LNK, ISO, OneNote, VBS inside attachments.
    – Patch cadence ≤14-day SLA for externally reachable appliances (VPN gateways, firewalls, WAFs).
    – Basic hygiene: application whitelisting (Windows Applocker / Smart App Control), privilege tiering, LAPS for local admins, daily offline/ cloud immutability backups.

2. Removal

Step-by-step cleanup succinctly designed for SOCs:

  1. Isolate host offline or via EDR isolation to stop encryption threads.
  2. Collect volatile artefacts (Amcache, Prefetch, live PSList) if incident response is being performed.
  3. Kill active payloads via EDR or Safe-Mode:
    – Typical persistence locations:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\BigUpdate
    C:\ProgramData\BigDataNet.exe
  4. Delete scheduled tasks & WMI event consumers: schtasks /delete /tn "BIGDataServiceUpdate" /f.
  5. Root-kit check: run Trend Micro Ransomware File Decryptor (checks for BigData parasitic MBR-overwrite only present in late 2023 variant).
  6. Full AV scan (Defender/EDR + offline rescue disc) + remove residual registry keys:
    HKLM\SYSTEM\CurrentControlSet\Services\bigDrv.

3. File Decryption & Recovery

  • Recovery Feasibility: Yes, partial/conditional – the original 2021 release used an offline Curve25519 → Salsa20/12 stream key. Researchers from SentinelLabs & JPCERT released a combinatorial master-key exploit in June 2021 due to an RNG entropy bug. The 2023 rebranded variant rewrote key generation; no public decryptor exists for the new seed.
  • Tools Available:
    BigData2021Decrypter.exe (Emsisoft-signed, v1.3) – handles victim ID ≤ “t-00230fasda” (legacy IDs).
    – No known tool for 2023 IDs (start with prefix “bid_”).
    Backup restoration or ransom negotiation remain the only paths for 2023 wave.
  • Essential Patches:
    – Security-only update rollups: KB5027231 (2023-05) for Windows 2019/22, KB5027232 for Windows 10/11 – hardens against CVE-2022-42475.
    – Ivanti / Pulse Secure patch: Release 22.6R1.1 (deflects 2023 chaining).

4. Other Critical Information

  • Unique Characteristics:
    – During encryption it drops “RUNTHISTOUNLOCK.HTML” & “readmebigdata.txt” in every folder; the ransom note is the only file containing a v3 onion domain instead of Tor2web gateway typical of other Hive-based strains.
    – Slightly lower ransom price goal: averages 0.04-0.06 BTC (≈2 500-3 500 USD), deliberately set to maximise pay-out from SMB victims rather than successful ransom for enterprise.
    Network share tag-along: it enumerates drives mapped via DFS-N namespace (a choice that reaches deeper into file-share traversals compared to typical ransomware).
  • Broader Impact:
    – Hospitals in Poland, Lithuania education sector 2021 wave; critical care devices locked when shared folder containing PACS images encrypted.
    – November 2023 resurgence coincided with log4j extensions in Australia healthcare, indicating BigData now bundled with secondary post-ex bots (TrickBot + Cobalt Strike).

End of document.