This article is more than 1 year old

BianLian ransomware crew goes 100% extortion after free decryptor lands

No good deed goes unpunished, or something like that

The BianLian gang is ditching the encrypting-files-and-demanding-ransom route and instead is going for full-on extortion.

Cybersecurity firm Avast's release in January of a free decryptor for BianLian victims apparently convinced the miscreants that there was no future for them on the ransomware side of things and that pure extortion was the way to go.

"Rather than follow the typical double-extortion model of encrypting files and threatening to leak data, we have increasingly observed BianLian choosing to forgo encrypting victims' data and instead focus on convincing victims to pay solely using an extortion demand in return for BianLian's silence," threat researchers for cybersecurity company Redacted wrote in a report.

A growing number of ransomware groups are shifting to relying more on extortion than data encryption. However, it seems the impetus for this gang's move was that Avast tool.

When the security shop rolled out the decryptor, the BianLian group in a message on its leak site boasted that it created unique keys for each victim, that Avast's decryption tool was based on a build of the malware from the summer of 2022, and that it would terminally corrupt files encrypted by other builds.

The message has since been taken down and BianLian changed some of its tactics. That includes not only moving away from ransoming the data, but also how the attackers post masked details of victims on their leak site to prove they have the data in hand in hopes of further incentivizing victims to pay.

Masking victim details

That tactic was in their arsenal before the decryptor tool was available, but "the group's use of the technique has exploded after the release of the tool," Redacted researchers Lauren Fievisohn, Brad Pittack, and Danny Quist, director of special projects, wrote.

Between July 2022 and mid-January, BianLian posted masked details accounted for 16 percent of the postings to the group's leak site. In the two months since the decryptor was released, masked victim details were in 53 percent of the postings. They're also getting the masked details up on the leak site even faster, sometimes within 48 hours of the compromise.

The group also is doing its research and increasingly tailoring its messages to victims to increase pressure on the organizations. Some of the messages make references to legal and regulatory issues facing organizations if a data breach became public, with the laws referenced appearing to correspond to the jurisdiction where the victim is located.

"With this shift in tactics, a more reliable leak site, and an increase in the speed of leaking victim data, it appears that the previous underlying issues of BianLian's inability to run the business side of a ransomware campaign appear to have been addressed," the researchers wrote. "Unfortunately, these improvements in their business acumen are likely the result of gaining more experience through their successful compromise of victim organizations."

A growing presence

The BianLian gang hacked its way onto the scene in July 2022 and established itself as a rapidly emerging threat, particularly to such industries as healthcare (14 percent, the sector most victimized by the group), education and engineering (both 11 percent), and IT (9 percent). According to Redacted, as of March 13, the miscreants had 118 victims listed on their leak site.

About 71 percent of those victims are in the US.

The malware is written in Go, one of the newer languages such as Rust that cybercriminals are adopting to evade detection, avoid endpoint protection tools, and run multiple computations simultaneously.

Though changing some of its tactics, BianLian is staying consistent as far as initial access and lateral movement through a victim's network. There have been tweaks to the custom Go-based backdoor, but the core functionality is the same, the report finds.

Redacted, which has tracked BianLian since last year, also is getting a view of the tight coupling between the backdoor deployment and the command-and-control (C2) server, which indicates that "by the time a BianLian C2 is discovered, it is likely that the group has already established a solid foothold into a victim's network," the researchers wrote.

The threat group brings almost 30 new C2 servers online each month, with each C2 staying online for about two weeks.

As far as who is being BianLian, the Redacted researchers wrote that they have "a working theory based on some promising indicators," but that they weren't ready to say for sure. ®

More about


Send us news

Other stories you might like