Threat Research

Decrypted: BianLian Ransomware – Avast Threat Labs

Securonix

Avast has released a decryptor for the BianLian ransomware, making it publicly available to help victims recover encrypted files. The article outlines BianLian’s Go-based ransomware behavior, its AES-256-CBC encryption, and how to use Avast’s decryptor to restore files.

Keypoints

  • Avast released a decryptor for BianLian ransomware for public download.
  • BianLian emerged in August 2022 and has targeted multiple industries, encrypting files rapidly.
  • BianLian is a Go-based 64-bit Windows ransomware that encrypts data with AES-256 in CBC mode and references cryptography libraries without using them directly.
  • Encryption appends the .bianlian extension and drops a ransom note named “Look at this instruction.txt” in each folder.
  • It searches all drives (A: to Z:) and encrypts files with extensions from a 1013-extension list; encryption starts at a fixed offset per sample and not at the file start.
  • The ransomware deletes itself after encryption using a command like “cmd /c del .”
  • The Avast decryptor supports only known variants and requires locating the ransomware binary on the host; common sample filenames include several Temp and user folders.

MITRE Techniques

  • [T1083] File and Directory Discovery – “Upon its execution, BianLian searches all available disk drives (from A: to Z:). For all found drives, it searches all files and encrypts all whose file extension matches one of the 1013 extensions hardcoded in the ransomware binary.” – “Upon its execution, BianLian searches all available disk drives (from A: to Z:). For all found drives, it searches all files and encrypts all whose file extension matches one of the 1013 extensions hardcoded in the ransomware binary.”
  • [T1486] Data Encrypted for Impact – “File data is encrypted with AES-256 in CBC mode. The length of the encrypted data is aligned to 16 bytes, as required by the AES CBC cipher. After data encryption, the ransomware appends the .bianlian extension and drops a ransom note called Look at this instruction.txt into each folder on the PC.”
  • [T1070.004] File Deletion – “the ransomware deletes itself by executing the following command: cmd /c del .”

Indicators of Compromise

  • [SHA256] IOCs – 1fd07b8d1728e416f897bef4f1471126f9b18ef108eb952f4b75050da22e8e43, 3a2f6e614ff030804aa18cb03fcc3bc357f6226786efb4a734cbe2a3a1984b6f, and 5 more hashes

Read more: https://decoded.avast.io/threatresearch/decrypted-bianlian-ransomware/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint