New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


Avast Releases Free BianLian Ransomware Decryptor

Security software company Avast has released a free decryptor for the BianLian ransomware strain to help victims of the malware recover locked files without paying the threat actor. The availability of a decryptor comes only about half a year after increased activity from BianLian ransomware over the summer of 2022, when the threat group breached multiple high-profile organizations. Avast’s decryption tool can only help victims attacked by a known variant of the BianLian ransomware. If the attackers are using a new version of the malware that researchers have yet to catch, the tool is of no help at the moment. However, Avast says the BianLian decryptor is a work in progress, and the ability to unlock more strains will be added shortly. BianLian (not to be confused with the same-name Android banking trojan) is a Go-based ransomware strain targeting Windows systems. It uses the symmetric AES-256 algorithm with the CBC cipher mode to encrypt over 1013 file extensions on all accessible drives. The malware performs intermittent encryption on the victim’s files, a tactic that helps speed up the attacks at the expense of data locking strength. Encrypted files get the “.bianlian” extension, while the generated ransom note warns victims that they have ten days to meet the hacker’s demands or their private data will be published on the gang’s data leak site.

Analyst Notes

The BianLian ransomware decryptor is available for free and the program is a standalone executable that doesn’t require installation. Users can select the location they wish to decrypt and provide the software with a pair of original/encrypted files. There’s also an option for users with a valid decryption password, but if the victim doesn’t have one, the software can still attempt to figure it out by iterating through all known BianLian passwords. The decryptor also offers an option to backup encrypted files to prevent irreversible loss of data if something goes wrong during the process. Those attacked by newer versions of the BianLian ransomware will have to locate the ransomware binary on the hard drive, which might contain data that can be used for deciphering the locked files.
Those who manage to retrieve BianLian binaries are requested to send them to “[email protected]” to help Avast improve its decryptor.

Decrypted: BianLian Ransomware