iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Avast’s Threat Research team has released a free executable for decoding files encrypted by BianLian ransomware.
And while the file is free, there is a slight catch to how it works — you need to have one of the encrypted files in its original form, so that the decoder can compare it with the encrypted version.
Once you have that, and you take a few other simple steps — such as pointing the decoder at the location of the file you want to decrypt — the decoder should be able to crack the password.
Then you can just use that password to decrypt everything else.
The BianLian ransomware first came to light in 2022 after development of its infrastructure began in December 2021 and is thought to be the tool of choice of a group of the same name. The ransomware is known for its speed and stealth of operation, and generally targets various ProxyShell vulnerabilities, as well as SonicWall VPNs.
Once embedded in a network, the ransomware deploys “either a web shell or a lightweight remote access solution such as ngrok as the follow-on payload,” according to cyber security researchers at Redacted.
“While we do not have direct evidence of a successful attack, we have indications that the actor targets servers that provide remote network access via solutions such as Remote Desktop, attempting to exploit weak or exposed credentials.
“We have also observed dwell times of up to six weeks from the actor gaining initial access and the actual encryption event,” Redacted’s researchers noted, speaking about the software’s stealth capabilities.
Once BianLian has encrypted a machine’s contents, all that is left are files with the .bianbian extension and a text file ransom note. The note asks victims to get in touch with the ransomware group within 10 days, or files will be posted online.
BianLian command-and-control nodes nearly tripled between July and August of 2022, jumping to 31 C2 nodes, bringing it to the attention of many researchers.
While the ransomware has not been entirely successful in extracting ransoms, the actors behind it appear to be skilled coders, according to Redacted, and have struck at companies of all sizes around the world but mostly in North America, the UK and Australia. It has largely been used to target the media and entertainment industry, but has so far only been used against nine organisations in a range of industries.
BianLian, incidentally, is named for a popular form of Chinese theatre, known for its colourful and ever-changing masks.
You can download the Decoder here to check out how it, and BianLian, works.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
