The researchers said the BianLian ransomware emerged in August 2022 and raised the threat bar by encrypting files at high speeds. The threat group performed targeted attacks in many different industries, including media and entertainment, manufacturing and the healthcare sector.
According to the researchers, upon its execution, BianLian searches all available disk drives (from A: to Z:). For all found drives, it then searches all files and encrypts files whose file extensions match one the 1,013 extensions hardcoded in the ransomware’s binary.
Typically, decryptors help existing victims, however, the adversary notices and changes tactics quickly, so decryptors often have limited use going forward, said John Bambenek, principal threat hunter at Netenrich. “That being said, victims may not be known to researchers,” said Bambenek said. “Therefore, a public decryptor can help those unknown victims recover some of their data, so it’s still a great service to perform.”
Andrew Barratt, vice president at Coalfire, added that encrypting ransomware has become the scourge of blue teams everywhere. Not knowing if anyone will make a decryptor available, or if the malware uses rotating or online keys makes it very difficult to avoid having to pay the ransom, said Barratt.
“While this decryptor only works on a known variant — it’s better than nothing for those impacted,” said Barratt. “It does put emphasis on the importance for good defensive planning, though, if the team depends on publicly-available research to recover business systems or data — the security plan needs more attention and the company should take a long look at the maturity of any existing programs in the organization.”
Drew Schmitt, lead analyst at GuidePoint's research and intelligence team (GRIT), pointed out that BianLian was the seventh most active double extortion ransomware group in 2022, despite its operations beginning in summer 2022. Schmitt said GRIT found that BianLian claimed 76 public victims, accounting for 3% of the total ransomware victims in 2022.
“Beginning in late-November through the end of 2022, the group has averaged one new public victim each day, which may be a result of maturing their processes and/or adding new members to their team,” said Schmitt. “Although BianLian has become well-known in 2022, their methods show signs of an inexperienced group including leveraging a less sophisticated leak site and utilizing chat applications such as Tox for conducting their negotiations. BianLian is also generally more aggressive in their negotiation tactics, starting most negotiations with very high ransom demands.”