cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Ransomware group BianLian refines tactics in the face of free decrypter

The BianLian ransomware group burst onto the hacking scene with a frenzied pace of operations. Its infrastructure goes back to 2021, but it was August of last year that saw the group enter an accelerated growth phase, with a number of high-profile ransomware attacks across the globe, including in Australia.

user icon David Hollingworth
Thu, 23 Mar 2023
Ransomware group BianLian refines tactics in the face of free decrypter
expand image

However, its operations were dealt a blow last month, when Avast released a free decryption tool that allowed victims to regain access to their data.

Now, though, the BianLian gang has changed up its tactics yet again.

Threat researchers at [redacted] (actual company name, by the way) have observed the gang moving away from encrypting files and demanding a ransom in return for the decryption key – instead, BianLian is now engaging in simple extortion. The gang’s tactics are largely the same, but they now demand a ransom and threaten to publish information wholesale if no payment is received.


“The group continues to maintain and deploy their custom backdoor, written in Go, which provides another means of remote access to a compromised network,” [redacted]’s researchers said in a blog post. “While BianLian has made small tweaks here and there to their backdoor such as updating various support libraries and attempting to better hide in plain sight in some scenarios, the core functionality of their backdoor remains unchanged.”

What has remained the same is how quickly the group operates. The researchers have noted that BianLian can bring up command and control infrastructure and compile a backdoor within minutes.

“With such a tight coupling of infrastructure and malware deployment, by the time a BianLian C2 is discovered it is likely that the group has already established a solid foothold into a victim’s network,” [redacted] said.

The group’s name is likely inspired by the Chinese theatrical form of the same name, famous for its quickly switching masks.

The group generally brings nearly 30 C2 networks online each month, and has already set up 11 servers in March alone.

And while there is almost no such thing as honour among thieves, BianLian staunchly promises to honour its own promises when it comes to releasing data online.

“Our business depends on the reputation even more than many others. If we will take money and spread your information – we will have issues with payments in future. So, we will stick to our promises and reputation. That works in both ways: if we said that we will email all your staff and publicly spread all your data – we will.”

How remarkably reassuring…

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.