The BianLian Ransomware group targets organizations around the world, with a prime focus on Australia, the United States, and the United Kingdom.
Cybersecurity firm Avast’s analysts have released a decryptor for the dangerous BianLian ransomware, which first surfaced in August 2022. Using this decryptor, BianLian victims can retrieve their encrypted data for free and avoid paying the ransom to the attackers.
Most of the victims of BianLian ransomware belonged to industries, including healthcare, energy, media, and manufacturing. Organizations worldwide were targeted with ransomware, mainly in the UK, the USA, and Australia.
According to Avast’s analysis, the malware operators used the Go programming language to improve its operational capabilities and make it difficult to detect. One of the unique features of BianLian ransomware is the concurrency that allows it to encrypt the data quickly.
Furthermore, it can self-delete itself when the encryption is complete. This is where Avast’s decryptor faces a big challenge. The problem is that the decryptor can restore files that the ransomware’s known variant has encrypted.
“For new victims, it may be necessary to find the ransomware binary on the hard drive; however, because the ransomware deletes itself after encryption, it may be difficult to do so,” Avast cybersecurity analysts wrote in their report.
The BianLian executable is around 2MB in size. It primarily targets Windows systems and uses a novel encryption technique that divides the files into chunks to encrypt them at a higher speed and prevent detection before the encryption is complete.
How BianLian Attack Works?
Initial access is gained via the ProxyShell vulnerability chain, after which the operators deploy a webshell or a lightweight remote access tool. The ransomware may also exploit SonicWall VPN devices.
After the ransomware is executed, it searches for disk drives and all files. Then, the ransomware starts encrypting the files with extensions that match the 1,013 extensions hardcoded into its binary and attaches the extension .bianlian to the files. It is worth noting that the malware encrypts data only in the file’s middle, not the beginning or the ending.
When the process is complete, the malware drops a ransom note titled “Look at this instruction.txt” in every folder on the system, informing the victim they have been hit with ransomware and should contact the attacker to restore their data. They can contact the attacker via email or an encrypted messaging app. The attacker also warns them to publish the stolen data if they don’t pay the ransom within ten days.
The BianLian attackers also warn victims of double extortion, claiming that they’ve stolen data and will publish it if they don’t receive a ransom payment within ten days.
It is yet known who’s operating the BianLian campaign, but Avast researchers believe the operators are a skilled, aggressive group but a novice in the ransomware domain. Moreover, they suspect the operators aren’t from a defunct group like Conti. So far, its leak sites feature 23 victims.