Emerging in August 2022, BianLian became known as a ransomware that encrypted files within minutes. BianLian’s name derives from an ancient dramatic art that originates in China. Artists move about a stage in brightly colored outfits and masks and completely change the face of the masks with a swipe of a fan – within a blink of an eye.
BianLian was written in Golang and was compiled as a 64-bit Windows executable. During 2022 and 2023, BianLian wreaked havoc on various industries, including media and entertainment, manufacturing, and healthcare. As of March 13, 2023, BianLian has listed 118 organizations as victims on their extortion website, with the majority (71%) coming from the United States.
At its peak, BianLian utilized methods to evade analysis by making API calls that could cause crashes in sandboxes or automated analysis systems. It aimed to encrypt all drives detected on infected devices, and once the encryption process was finished, it erased itself. The ransomware was quite successful until a team of researchers and analysts at Avast developed a decryptor for BianLian and made it publicly available. In this report we will examine the impact of the released decryptor and why it is most likely only a temporary setback.
BianLian emerged in August 2022, but its most significant impact was observed in 2023. Known for attacking healthcare, the ransomware group listed California-based healthcare facility St. Rose Hospital as a victim in January 2023. The hospital is known as a designated cardiac arrest center in Alameda County and has a revenue of $100 million.
Image 1: Top Industry Attacks by BianLian
BianLian are a financially motivated group that will leak stolen data if they are not paid. After stealing 195 GB of staff and patient data, the ransomware group threatened to leak emails, project details, medical records, and accident reports.
BianLian continued their attacks into early March 2023 when they attacked the City of Waynesboro, Virginia, stealing 350 GB of data from the city’s network. The data included reports, investigations, and internal police station fileserver files. At that time, the group was still operating as a ransomware group, stealing data before encryption.
Unlike most ransomware encryptors which use asymmetric or public key encryption (where different keys are used for encryption and decryption). The BianLian encryptor used the symmetric AES256 algorithm (Golang package AES).This mean that the same key is used for encryption and decryption, and the key was stored in the encryptor. . The Avast team were then able to recover the encryption key and use it to write a new decryptor.
Not long after the attack on the City of Waynesboro, Virginia, BianLian’s ransomware operation was thwarted when Avast released a decryption tool to decrypt files encrypted by the ransomware. The tool is on Avast’s website and is free to download. The researchers at Redacted have been keeping a close eye on BianLian’s activities, releasing a report on March 16, 2023. The researchers noticed that while the group has not significantly changed their tactics and techniques, they have changed their approach to pressuring victims to pay ransoms.
BianLian uses a custom backdoor written in Golang, to maintain access to victim networks, rather than the general remote access tools used by most ransomware groups. Slight changes have been made to the backdoor over time, such as updating different support libraries and attempting to stay undetected in some cases, yet the core functionality of their backdoor remains unaltered.
The researchers at Redacted also noticed that they have seen many cases where the malware is created shortly after the activation of the command and control (C2), while in other instances, the order is reversed. Consequently, when a C2 is detected, it is likely that BianLian has already infiltrated the victim’s network. They also observed that BianLian tends to bring around 30 new C2s each month. For example, in the first half of March, they started with 11 C2s. Additionally, the average time that a C2 remains active is about two weeks.
After the release of the decryptor, BianLian acknowledged its release and shifted how they monetize their attacks. Instead of encrypting files and threatening to leak data, they are focusing on convincing victims to pay a ransom in exchange for the group’s silence. This means that the group is now operating as an extortion group and not as a ransomware group. BianLian promises that after payment, they will not make the data public or reveal the breach to anyone. They depend on their reputation, so they extend this assurance to victims.
“Our business depends on the reputation even more than many others. If we will take money and spread your information- we will have issues with payments in future. So, we will stick to our promises and reputation. That works in both ways: if we said that we will email all your staff and publicly spread all your data- we will.” – BianLian (posted on their Tor site)
BianLian conducts research on victims to customize threats, citing legal/regulatory issues victims may face if a breach were made public. They even reference applicable law subsections. This extra effort indicates the criminal gang is attempting to apply maximum pressure to get their ransoms paid. The group has also been increasingly using a tactic of posting masked details about their victims on their leak site. This tactic involves posting varying degrees of detail about an organization, usually masking all but a few letters of the company's name, while still including details like the victim's industry, geographical location, and revenue numbers.
Although BianLian was using the masked victim pressure tactics prior to the release of Avast’s decryption tool, the group’s use of the technique increased significantly after the release of the tool. The group has posted details of masked victims more than half of the time since the tool was released.
Based on Avertium’s experience, has been a significant decrease in organizations paying ransom to protect their data from being exposed over the past three years. This is supported by a companies such as Chainalysis, a blockchain analysis firm, who showed that ransomware payments experienced a significant decrease in the past year, dropping to [1]$456.8 million, the lowest figure in three years. This figure is 40% lower than the $765.6 million reported the year before.
At first glance, it seems that the drastic decrease in ransomware profits is due to a decrease in ransomware incidents, however, Kim Grauer of Chainalysis says that this may not be the case.
“The evidence suggests that the decline in attacker revenues is due to victims’ increasing unwillingness to pay their ransom demands rather than a drop in the actual number of attacks. This reluctance can be attributed to a number of factors, ranging from more widespread utilisation of solutions such as backup and recovery that mitigate the impact of attacks, to a fear of running afoul of government regulations that prohibit the payment of ransoms to organisations that are potentially affiliated with sanctioned nations and groups.” - Kim Grauer – Director of Research at Chainalysis
We expect to see BianLian develop a new encryptor, most likely using public-key encryption as their attempts to generate revenue purely by exfiltrating data and threatening it’s release prove to far less effective than encryption.
[1] Ransomware payments fell to US$456.8 million in 2022 | TahawulTech.com
Backdoors
Encryptors
IP Addresses
Even with anti-malware solutions installed, BianLian is a great risk to organizations. BianLian’s evolving operating model makes organizations everywhere vulnerable to an attack. However, Avertium has advanced services that can help keep your organization safe:
Stung by Free Decryptor, Ransomware Group Embraces Extortion (bankinfosecurity.com)
BianLian Ransomware Gang Continues to Evolve | [redacted]
Virginia city claimed to be attacked by BianLian ransomware | SC Media (scmagazine.com)
BianLian Ransomware Encrypts Files in the Blink of an Eye (blackberry.com)
Decrypted: BianLian Ransomware - Avast Threat Labs
BianLian ransomware crew swaps encryption for extortion • The Register
A Deep Dive Into BianLian Ransomware (securityscorecard.com)
BianLian Ransomware Lists St Rose Hospital As Victim (thecyberexpress.com)
Ransomware payments fell to US$456.8 million in 2022 | TahawulTech.com
BianLian ransomware group shifts focus to extortion | CSO Online
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.
COPYRIGHT: Copyright © Avertium, LLC and/or Avertium Tennessee, Inc. | All rights reserved.