Beating BanLian ransomware with decryption • The Register

Beating BanLian ransomware with decryption • The Register


Cybersecurity firm Avast has released a free decryptor for victims of BianLian – an emerging ransomware threat that came into the public eye in last year.

Victims of BianLian are found in such industries as healthcare, manufacturing, energy, and financial services. Affected parties can download the decryptor to recover their encrypted data – though there could be challenges, according to the Avast researchers.

The operators behind BianLian are among a growing number of ransomware groups using newer programming languages – in this case Go, but others also are turning to Rust – to make the malware difficult to detect, get around endpoint protection tools, and use concurrency capabilities to enable multiple computations to run at the same time.

The concurrency feature enables BianLian to encrypt the data quickly, according to a report by BlackBerry in October 2022. In addition, the ransomware deletes itself after the encryption is complete, Avast researchers wrote in their report. And therein lies the problem.

“The decryptor can only restore files encrypted by a known variant of the BianLian ransomware,” they wrote. “For new victims, it may be necessary to find the ransomware binary on the hard drive; however, because the ransomware deletes itself after encryption, it may be difficult to do so.”

They also recommended looking for .EXE files in folders like %temp%, Documents and Pictures that don’t normally contain executables, and checking the antivirus software’s virus vault. The BianLian executable is about 2MB in size.

According to Avast, once the ransomware is executed, it searches all disk drives and then the files within them. It encrypts the files with extensions that match one of the 1,013 extensions that are hardcoded in its binary and attaches .bianlian to the file’s extension. The malware only encrypts in the middle of the file, not the beginning or end.

It then drops the ransom note with the heading “Look at this instruction.txt” in every folder in the victim’s system.

The note gives victims multiple ways of contacting the operators – including the Tox encrypted chat app or via direct email. It also indicates that they not only encrypted the data but downloaded it, threatening to make the files public within ten days. This is typical of a double-extortion group.

The miscreants behind BianLian are unknown, though according to reports they seemed to be skilled and new to the ransomware field – they don’t appear to be the remnants of defunct groups, such as Conti. BianLian not only has ransomware in its toolkit, but also backdoor malware, also written in Go.

“The BianLian group appears to represent a new entity in the ransomware ecosystem,” analysts from [redacted] wrote in September 2022. “Furthermore, we assess that the BianLian actors represent a group of individuals who are very skilled in network penetration but are relatively new to the extortion/ransomware business.”

The group can compromise a network, but they’ve made mistakes – including accidentally sending data from one victim to another, delaying communicating with victims and having an unreliable infrastructure.

That said, it’s an aggressive group. As of September, its leak site listed 23 victims, according to BlackBerry. Cybersecurity firm Dragos linked BianLian to three ransomware incidents in Q3 2022.

Most of the victims appear to come from the US, UK, and Australia, according to various cybersecurity analyses. BlackBerry’s researchers wrote that the group targets English-speaking countries because its motivation is financial rather than political or geographic.

Go users also can pull together code for Windows, Linux, and OS X, which means malware developers aren’t limited in the operating systems they target.

Initial access is gained through the ProxyShell vulnerability chain, then the group deploys a webshell or lightweight remote access tool, [redacted] wrote. BianLian has also exploited SonicWall VPN devices.

The miscreants’ infrastructure first popped up online in December 2021 and they’ve been developing the toolset since, rapidly expanding its command-and-control (C2) infrastructure in August 2022 to as many as 30 IPs, signaling a ramping of the group’s activities.

Avast’s latest decryptor follows one released earlier this year for the MegaCortex ransomware, which was created via a group effort by Europol, cybersecurity vendor Bitdefender, the NoMoreRansom Project, Zurich Public Prosecutor’s Office, and Zurich Cantonal Police. ®

You May Also Like…