Tailing Big Head Ransomware’s Variants, Tactics, and Impact Indicators of Compromise (IOCs) Filename SHA256 Detection Description Read Me First!.txt Ransom note 1.exe 6d27c1b457a34ce9edfb4060d9e04eb44d021a7b03223ee72ca569c8c4215438 Ransom.MSIL.EGOGEN.THEBBBC First sample 1.exe 226bec8acd653ea9f4b7ea4eaa75703696863841853f488b0b7d892a6be3832a Ransom.MSIL.EGOGEN.YXDFE 123yes.exe ff900b9224fde97889d37b81855a976cddf64be50af280e04ce53c587d978840 Ransom.MSIL.EGOGEN.YXDEO archive.exe cf9410565f8a06af92d65e118bd2dbaeb146d7e51de2c35ba84b47cfa8e4f53b Ransom.MSIL.EGOGEN.YXDFZ azz1.exe, discord.exe 1c8bc3890f3f202e459fb87acec4602955697eef3b08c93c15ebb0facb019845 Ransom.MSIL.EGOGEN.YXDEW BXIuSsB.exe 64246b9455d76a094376b04a2584d16771cd6164db72287492078719a0c749ab Ransom.MSIL.EGOGEN.YXDEL ConsoleApp2.exe 0dbfd3479cfaf0856eb8a75f0ad4fccb5fd6bd17164bcfa6a5a386ed7378958d Ransom.MSIL.EGOGEN.YXDEW cry.ps1 6698f8ffb7ba04c2496634ff69b0a3de9537716cfc8f76d1cfea419dbd880c94 Ransom.PS1.EGOGEN.YXDFV Cipher.psm1, Ransom.PS1.EGOGEN.YXDFZ discord.exe b8e456861a5fb452bcf08d7b37277972a4a06b0a928d57c5ec30afa101d77ead Ransom.MSIL.EGOGEN.YXDEL discord.exe 6b3bf710cf4a0806b2c5eaa26d2d91ca57575248ff0298f6dee7180456f37d2e Ransom.MSIL.EGOGEN.YXDEL docx.Crypter.bat, runyes.Crypter.bat 6b771983142c7fa72ce209df8423460189c14ec635d6235bf60386317357428a Ransom.BAT.EGOGEN.YXDFZ event-stream.exe 627b920845683bd7303d33946ff52fb2ea595208452285457aa5ccd9c01c3b0a HackTool.Win32.EventStream.A l.bat 40d11a20bd5ca039a15a0de0b1cb83814fa9b1d102585db114bba4c5895a8a44 Ransom.BAT.EGOGEN.YXDFZ Locker.ps1 159fbb0d04c1a77d434ce3810d1e2c659fda0a5703c9d06f89ee8dc556783614 Ransom.PS1.EGOGEN.YXDEL locker.ps1 9aa38796e0ce4866cff8763b026272eb568fa79d8a147f7d61824752ad6d8f09 Ransom.PS1.EGOGEN.YXDFZ program.exe 39caec2f2e9fda6e6a7ce8f22e29e1c77c8f1b4bde80c91f6f78cc819f031756 Ransom.MSIL.EGOGEN.YXDEP Prynts.exe 1ada91cb860cd3318adbb4b6fd097d31ad39c2718b16c136c16407762251c5db TrojanSpy.MSIL.STORMKITTY.D r.pyw be6416218e2b1a879e33e0517bcacaefccab6ad2f511de07eebd88821027f92d Ransom.Python.EGOGEN.YXDFZ Server.exe 9a7889147fa53311ba7ec8166c785f7a935c35eba4a877c1313a8d2e80e3230d TrojanSpy.MSIL.WORLDWIND.A Dropped WorldWind Stealer Server.exe f6a2ec226c84762458d53f5536f0a19e34b2a9b03d574ae78e89098af20bcaa3 PE_NESHTA.A sfchost.exe, 12.exe 1942aac761bc2e21cf303e987ef2a7740a33c388af28ba57787f10b1804ea38e Ransom.MSIL.EGOGEN.YXDEL slam.exe f354148b5f0eab5af22e8152438468ae8976db84c65415d3f4a469b35e31710f Ransom.MSIL.EGOGEN.YXDE4 ssissa.Crypter.bat 037f9434e83919506544aa04fecd7f56446a7cc65ee03ac0a11570cf4f607853 Ransom.BAT.EGOGEN.YXDFZ svchost.com 980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2 PE_NESHTA.A-O teleratserver.exe 603fcc53fd7848cd300dad85bef9a6b80acaa7984aa9cb9217cdd012ff1ce5f0 Backdoor.WIn64.TELERAT.A Xarch.exe bcf8464d042171d7ecaada848b5403b6a810a91f7fd8f298b611e94fa7250463 Ransom.MSIL.EGOGEN.YXDEV XarchiveOutput.exe 64aac04ffb290a23ab9f537b1143a4556e6893d9ff7685a11c2c0931d978a931 Ransom.MSIL.EGOGEN.YXDEV Xatput.exe f59c45b71eb62326d74e83a87f821603bf277465863bfc9c1dcb38a97b0b359d Ransom.MSIL.EGOGEN.YXDEV Xserver.exe 2a36d1be9330a77f0bc0f7fdc0e903ddd99fcee0b9c93cb69d2f0773f0afd254 Ransom.MSIL.EGOGEN.THEABBC Second sample Xsput.exe 66bb57338bec9110839dc9a83f85b05362ab53686ff7b864d302a217cafb7531 Ransom.MSIL.EGOGEN.YXDEV Xsuut.exe 806f64fda529d92c16fac02e9ddaf468a8cc6cbc710dc0f3be55aec01ed65235 Ransom.MSIL.EGOGEN.YXDEV Xxut.exe 9c1c527a826d16419009a1b7797ed20990b9a04344da9c32deea00378a6eeee2 Ransom.MSIL.EGOGEN.YXDEO iXZAF 40e5050b894cb70c93260645bf9804f50580050eb131e24f30cb91eec9ad1a6e Ransom.MSIL.EGOGEN.THFBIBC XBtput.exe 25294727f7fa59c49ef0181c2c8929474ae38a47b350f7417513f1bacf8939ff Ransom.MSIL.EGOGEN.YXDEL Third sample XBtput2.exe dcfa0fca8c1dd710b4f40784d286c39e5d07b87700bdc87a48659c0426ec6cb6 Ransom.MSIL.EGOGEN.YXDEO