In order to assist victims of the infection in retrieving their files without paying the thieves, security software provider Avast has made a free decryptor for the BianLian ransomware strain available. The release of a decryptor comes just over a year after BianLian ransomware activity spiked throughout the latter part of 2022 when the threat group penetrated numerous well-known companies.
Only those who have been infected by a known strain of the BianLian ransomware can benefit from Avast’s decryption tool. The tool is useless if the hackers utilize a new malware variant that experts have yet to discover. However, according to Avast, the BianLian decryptor is still under development, and more strains will soon be able to be unlocked.
BianLian Ransomware New Variant
A Go language ransomware variant called BianLian that targets Windows systems is not to be confused with the Android banking virus of the same name. On all drives that are accessible, it encrypts over 1013 file extensions using the symmetric AES-256 algorithm and CBC cipher mode.
In an effort to hasten attacks at the expense of data-locking strength, the malware conducts spotty encryption on the victim’s files. The “.bianlian” suffix is used for encrypted files, and the created ransom letter informs victims that if they don’t comply with the demands within ten days, their personal information will be made public on the hacking gang’s data leak website.
The BianLian ransomware decryptor is a standalone software that may be run without needing to be installed. Users can choose where they want to decrypt from and provide the software with two original/encrypted files.
Users with a working decryption password have the choice to use it, but if the victim doesn’t have one, the software can still try to decipher it by repeatedly iterating through all BianLian passwords. In case something goes wrong during the decryption process, the decryptor also provides the option to back up encrypted files. This prevents the loss of data from being irreversible.
The ransomware binary, which may contain information that can be utilized to decrypt the locked files, must be found on the hard drive by those who have been infected by newer versions of the BianLian ransomware.
According to Avast, some typical locations and filenames for BianLian are:
- C:\Windows\TEMP\mativ.exe
- C:\Windows\Temp\Areg.exe
- C:\Users\%username%\Pictures\windows.exe \sanabolic.exe
However, it is unlikely that victims will discover those programs on their systems because the malware deletes itself after the file-encrypting stage. In order to aid Avast in improving its decrypter, those who are able to locate BinaLian binaries are asked to submit them to “[email protected]”
BianLian Preys On Numerous Businesses.
They will continue their efforts to abuse the systems and networks they obtain access to because they most likely have financial motivations. Their Golang-based ransomware uses goroutines to ransom an infected system quickly and encrypts files in chunks. The threat actor targets a number of industries in a number of nations. Their method of deployment is manual system infiltration, and they use living-off-the-land (LotL) binaries to scout out the networks and systems. They release their ransomware after they have all the data they require.
Who Does BianLian Ransomware Target?
The professional services, manufacturing, healthcare, energy, media, banks, and education sectors have all been hit by this ransomware organization so far. Their current targets are located in the United Kingdom, Australia, and the United States. There is no proof to suggest that they are confined to these regions or sectors.
Prevention Advice
- Use the file carving method to inspect files transferred over the network (D3-FC).
- File Access Pattern Analysis (D3-FAPA): This tool analyzes how an application accesses files; it may be used to detect ransomware’s use of multiple read/write operations on files.
- Detect unauthored remote sessions using network traffic using the Remote Terminal Session Detection (D3-RTSD) tool.
- Ransomware writes ransom notes; this behavior can be identified using File Creation Analysis (D3-FCA).
- Bianlian Ransomware YARA Rule
Conclusion
A free program for decrypting data that has been encrypted by the BianLian ransomware has been made available by Avast’s Threat Research team. Although the file is free, there is a small catch to how it operates for the decoder to compare it with the encrypted version; you must have one of the encrypted files in its original form. The decoder should be able to crack the password after you have that and follow a few additional easy steps, such as pointing it at the location of the file you wish to decrypt. After that, you can decrypt everything else using that password.
“BianLian ransomware uses the typical doxing approach popular among ransomware authors today, threatening the user to publish their data. Data encryption and extortion via ransomware are a businesses’ worst nightmare combined. Yet we urge affected people and businesses not to contact the threat actors. With this new decryptor, businesses and people can restore files encrypted by known BianLian ransomware variants, and as new variants appear we will look into options to update the tool to cover these as well. And as always, to prevent harm caused by an infection, frequent backups are recommended to make sure the data can be restored if encrypted by ransomware.”