BianLian is a malware infection, active since early 2022, that encrypts the data and locks the files until a ransom is paid (ransomware). However, lately, the BianLian hacker group changed their tactics to extortion, as Avast released a decryptor for BianLian ransomware. This tactic is known as double extortion.
BianLian ransomware developers target enterprises in several industries, such as banks, manufacturers, insurance companies, education, healthcare, and more.
They target most English-speaking countries and have not claimed any affiliation with any nation-state or agenda. Actually, they seem to be financially motivated rather than having political motivations.
After encrypting the data, it renames the files adding the .bianlian file extension to them and drops a ransom note named “Look at this instruction.txt” at the desktop.
BianLian is ransomware, a type of malware that encrypts and locks the victims’ files and then requests a ransom in exchange for the decryption key. It is cross-platform ransomware that encrypts the victim’s files and they also work with the double extortion tactic, threatening to leak the data into the dark web if the ransom is not paid.
As a cross-platform ransomware, BianLian can access and operate in different operating systems and environments
Confirmed Name
Threat Type
Encrypted Files Extension
Ransom Demanding Message
Is There a Free Decryptor Available?
Does the decryptor work?
Yes, Avast free BianLian decryptor work to unlock encrypted files. The threat actors changed their tacts to double extortion since the decryption key is effective.
Detection Names
Symptoms
Distribution methods
Consequences
Prevention
BianLian ransomware’s primary infection method is via ProxyShell vulnerabilities. Once in, BianLian uses the living off the land (LoL) techniques for network profiling and lateral movement.
BianLian developers built the ransomware using the Go programming language (aka Golang).
It adds a ransom note to the desktop where the cybercriminals threaten to leak the data unless the ransom is paid.
Example of the ransom note:
Your network systems were attacked and encrypted. Contact us in order to restore your data. Don’t make any changes in your file structure: touch no files, don’t try to recover by yourself, that may lead to it’s complete loss.
To contact us you have to download “tox” messenger: hxxps://qtox.github.io/
Add user with the following ID to get your instructions:
A4B3B0845DA242A64BF17E0DB4278EDF 85855739667D3E2AE8B89D5439015F07E81D12D767FC
Alternative way: swikipedia@onionmail.org
Your ID: –
You should know that we have been downloading data from your network for a significant time before the attack: financial, client, business, post, technical and personal files.
In 10 days – it will be posted at our site hxxp://bianlianlbc5an4kgnay3opdemgcryg2kpfcbgczopmm3dnbz3uaunad.onion with links send to your clients, partners, competitors and news agencies, that will lead to a negative impact on your company: potential financial, business and reputational loses.
BianLian starts servers in Windows Safe Mode and then executes its file-encrypting malware while evading detection by system-installed security solutions. It also deletes snapshots, removes backups, and runs its Golang encryption module via Windows Remote Management (WinRM) and PowerShell scripts.
BianLian is proficient in lateral movement, so it can collect data for double extortion. After encrypting the data and dropping the ransom note, hackers give 10 days for the victims to pay their demands or they leak the data.
Preventing ransomware attacks is easier and cheaper than recovering from them. We already mentioned several ways you can prevent BianLian ransomware attacks. Here is a complete list of what to do to keep your data and business safe.
Always use strong and unique passwords for each account and only share them with necessary people. For example, if an employee doesn’t require a website account or software for their work, they don’t need access to it. This can guarantee that only authorized personnel will access each company account.
You can use two-factor authentication or biometric unlock to ensure that only authorized people have access to folders, devices, or accounts.
Unused accounts are vulnerabilities that hackers can exploit. Deactivate and close unused accounts as well as those used by past employees.
As mentioned, outdated software is a weak point. That’s because new updates can create protection against new types of malware, such as BianLian.
Keep at least three copies of your data, having at least one stored offline and off-site. This can guarantee that, even if you’re hit by a disaster, being natural or human-made (like ransomware), your data is always safe.
Regular backups can prevent downtimes and ensure you never lose any sensitive data.
You can either have an IT team to guarantee your business security or hire a cybersecurity service.
Either way, you must look for vulnerabilities in the network, such as back doors, exploit kits, and youtube software.
Data recovery plans are documents that work as guides on what to do in case of a disaster. This can help you restore your business faster and more securely.
See how to create a data recovery plan with our in-depth guide.
The first step to recover from the BianLian attack is to isolate the infected computer by disconnecting from the internet and removing any connected device. Then, you must contact local authorities. In the case of US residents and businesses, it is the local FBI field office and the Internet Crime Complaint Centre (IC3).
To report a ransomware attack you must gather every information you can about it, including:
You must not delete the ransomware, and keep every evidence of the attack. That’s important for digital forensics so experts can trace back to the hacker group and identify them. Is using the data on your infected system so that authorities can investigate the attack and find the responsible. A cyber attack investigation is not different from any other criminal investigation: it needs evidence to find the attackers.
After isolating the device and contacting authorities, you must follow the next steps to retrieve your data:
A Cyber Incident Response is the process of responding to and managing a cybersecurity incident. An Incident Response Retainer is a service agreement with a cybersecurity provider that allows organizations to get external help with cybersecurity incidents. It provides organizations with a structured form of expertise and support through a security partner, enabling them to respond quickly and effectively in the event of a cyber incident.
An incident response retainer offers peace of mind to organizations, offering expert support before and in the aftermath of a cybersecurity incident. The specific nature and structure of an incident response retainer will vary according to the provider and the organization’s requirements. A good incident response retainer should be robust but flexible, providing proven services to enhance an organization’s long-term security posture.
You can check which ransomware infected your machine by the file extension (some ransomware uses the file extension as their name), or it will be on the ransom note. With this information, you can look for a public decryption key.
Since BianLian has a free decryptor, you can use it to restore your files. Download the free decryptor here.
Before recovering your data, you must guarantee that your device is ransomware-free and that the attackers can’t make a new attack through exploit kits or other vulnerabilities.
However, paying the ransom doesn’t guarantee you will get the key or that it will work. Besides, there’s the risk of financing criminal activities and even terrorism. For these reasons, DO NOT PAY THE RANSOM.
Instead, contact local authorities and work on restoring your data and removing the BianLian ransomware from your computer or business network.
A ransomware removal service can delete the ransomware, create a forensics document for investigation, eliminate vulnerabilities, and recover your data.
Backups are the most efficient way to recover data. Make sure to keep daily or weekly backups, depending on your data usage.
If you don’t have a backup or need help removing the ransomware and eliminating vulnerabilities, you should contact a ransomware data recovery service.
SalvageData experts can safely restore your files and guarantee that BianLian ransomware does not attack your network again. Contact our experts 24/7 for emergency recovery service or find a recovery center near you.
In a recent data recovery service case, the SalvageData recovery team achieved a remarkable feat…
A corrupted database on PS4 occurs when the system's organized data collection becomes damaged or…
Encountering a black or blank screen on your Windows computer can be frustrating and alarming.…
LockBit ransomware has emerged as one of the most dangerous and prolific cyber threats in…
Recovery mode is a crucial feature for troubleshooting and restoring an iPad when it encounters…
Whether you’re a professional juggling important work documents or an individual cherishing irreplaceable memories, safeguarding…