BianLian ransomware, written in Go, encrypts files at high speed using concurrent processes and targets a wide range of industries across several countries. The operation includes a ransom note with contacts via Tox or email and hints at manual deployment with potential backdoors and data exfiltration steps. #BianLian #GoLang #ProxyShell #SonicWall #ThreatFabric
Keypoints
- BianLian is Golang-based ransomware designed for speed, leveraging Go’s concurrency (goroutines) to encrypt files quickly.
- The threat targets many industries and countries, with 23 victims listed on the operator’s leak site as of Sep 20, 2022 (US, Australia, UK among others).
- The malware enumerates drives (A: to Z:) by calling GetDriveTypeW to determine what to encrypt, including chunked processing of files.
- Files are encrypted with the Go standard library crypto package in 16-byte chunks and renamed with a “.bianlian” extension; ransom notes instruct victims how to contact operators and note a 10-day deadline before data release on an onion site.
- Initial access is likely via ProxyShell or a SonicWall VPN vulnerability, followed by lateral movement and potential data exfiltration using tools like WinSCP and 7-Zip; backdoors may be installed to maintain access.
- Go-specific features (static linking, BuildID) and multi-threaded encryption contribute to speed and potential evasion tactics; a YARA rule has been published to detect this family.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Initial access is gained via the ProxyShell vulnerability chain or a SonicWall VPN firmware vulnerability. ‘initial access is gained via the ProxyShell vulnerability chain or a SonicWall VPN firmware vulnerability.’
- [T1120] Peripheral Device Discovery – Ransomware searches the host machine for all possible drive names using GetDriveTypeW. ‘The ransomware uses GetDriveTypeW from the kernell32 library.’
- [T1486] Data Encrypted for Impact – Encrypts files using the standard library crypto package in Go, and processes in chunks, renaming files with a .bianlian extension. ‘The ransomware encrypts files using the standard library crypto package in Go.’
- [T1068] Privilege Escalation – The report notes the threat actor escalates privileges during lateral movement. ‘escalates their privileges.’
- [T1027] Obfuscated/Compressed Files and Information – Static linking of Go libraries embeds libraries into the binary, which can affect detection and distribution. ‘Go libraries are statically linked, which means all the necessary libraries are included in the compiled binary. Including these libraries makes for a larger file that is harder to distribute, but larger files might also be ignored by antivirus (AV) engines…’
Indicators of Compromise
- [File Hash] Sample file (anabolic.exe) – 46d340eaf6b78207e24b6011422f1a5b4a566e493d72365c6a1cace11c36b28b
- [File Hash] Additional sample hash observed – 117a057829cd9abb5fba20d3ab479fc92ed64c647fdc1b7cd4e0f44609d770ea
- [File Hash] Additional sample hash observed – 1fd07b8d1728e416f897bef4f1471126f9b18ef108eb952f4b75050da22e8e43
- [File Name] Ransom note file dropped – Look at this instruction.txt
Read more: https://blogs.blackberry.com/en/2022/10/bianlian-ransomware-encrypts-files-in-the-blink-of-an-eye