Avast releases free decoder for BianLian ransomware
The Avast threat research team has released a free executable to decode files encrypted by the BianLian ransomware.
And as long as the file is freeThere is a small drawback in its operation: it is necessary to have one of the encrypted files in its original format so that the decoder can compare it with the encrypted version.
Once you have that, follow a few other simple steps. — how to point the decoder at the location of the file you want to decrypt — the decoder should be able to decrypt the password.
You can then use that password to decrypt everything else.
The BianLian ransomware first came to light in 2022 after its infrastructure development began in December 2021 and is believed to be the tool of choice for a group of the same name. The ransomware is known for its speed and stealth of operation, and typically targets various ProxyShell vulnerabilities as well as SonicWall VPNs.
Once embedded in a network, the ransomware deploys “either a web shell or a lightweight remote access solution like ngrok as a tracking payload,” according to cybersecurity researchers at Redacted.
“While we have no direct evidence of a successful attack, we have indications that the actor is targeting servers that provide remote network access through solutions like Remote Desktop, attempting to exploit weak or exposed credentials.
“We have also observed dwell times of up to six weeks between the actor gaining initial access and the actual encryption event.” Redacted researchers notedtalking about the stealth capabilities of the software.
Once BianLian has encrypted the contents of a machine, all that is left are files with the .bianbian extension and a ransom note in text file format. The note asks victims to contact the ransomware group within 10 days or the files will be published online.
BianLian’s command and control nodes almost tripled between July and August 2022, jumping to 31 C2 nodes, which caught the attention of many researchers.
While the ransomware has not been completely successful in extracting ransoms, the actors behind it appear to be expert coders, according to Redacted, and have attacked companies of all sizes around the world, but primarily in North America, the United Kingdom and Australia. It has been used largely to attack the media and entertainment industry, but has so far only been used against nine organizations across a variety of industries.
BianLian, incidentally, is named after a popular form of Chinese theater, known for its colorful and ever-changing masks.
You can download the Decoder here to see how it and BianLian work.