The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

BianLian Ransomware

Sep 26, 2022 4:05:33 PM / by PolySwarm Tech Team

BianLian_Twitter
Verticals Targeted: Professional Services, Media and Entertainment, Manufacturing, Healthcare, Energy and Utilities, Education, Financial

Executive Summary

Cyble recently reported on BianLian, a new ransomware variant written in Go. It has been used to target multiple verticals.

Key Takeaways

  • BianLian is a ransomware family written in Go.
  • BianLian uses multiple techniques to thwart detection and reverse engineering. 
  • BianLian threat actors use a double extortion tactic, threatening to leak victim data if the ransom is not paid.
What is BianLian?

BianLian ransomware, written in Go, was first discovered in July 2022. It has been used to target multiple verticals, including professional services, media and entertainment, manufacturing, healthcare, energy and utilities, education, and financial.

When BianLian is executed, it checks whether it is running in a WINE environment. It then uses the CreateThread() API function to create multiple threads, complicating attempts at reverse engineering. BianLian then uses the GetDriveTypeW() API to find system drives A:\ to Z:\ and encrypts files on the discovered drives. The following files, extensions, and folders are not encrypted: .exe, .dll, .sys, .txt, .lnk, .html, bootmgr, BOOTNXT, pagefile.sys, thumbs.db, ntuser.dat, swapfile.sys, Windows, and Windows.old.

BianLian uses the crypto/cipher, crypto/aes, and crypto/rsa GoLang packages for encryption. During the encryption process, the ransomware divides files into 10 byte chunks. Using data chunking in the encryption process helps thwart detection by antivirus. Encrypted files are appended with the  .bianlian extension.

BianLian drops a ransom note named Look at this instruction.txt in folders containing encrypted files. The ransom note instructs victims on how to contact the threat actors. The threat actors use a double extortion technique, threatening to leak stolen files if the ransom is not paid within ten days.  Following the encryption process, BianLian deletes itself from the system.

IOCs

PolySwarm has multiple samples of BianLian.

1fd07b8d1728e416f897bef4f1471126f9b18ef108eb952f4b75050da22e8e43 

20bab94e6d9c8ed4832ce3b58f9150b16f9e5f40ffdcb747e10366cab5a30352 

50c86fb27bed1962903a5f9d155544e3fdb859ae19e967a10f0bf3a60bb8954f 

64065c29b369881ee36314c0d15e442510027186fd9087aec0f63e22a5c6f24c 

8592862cd28bcc23cfbcf57c82569c0b74a70cd7ea70dbdee7421f3fafc7ecaf 

c0fe7bfb0d1ffeb61fb9cafeeab79ffd1660ff3637798e315ff15d802a3c974e 

c7fe3fc6ffdfc31bc360afe7d5d6887c622e75cc91bc97523c8115b0e0158ad6 

cbab4614a2cdd65eb619a4dd0b5e726f0a94483212945f110694098194f77095 

cd17afd9115b2d83e948a1bcabf508f42d0fe7edb56cc62f5cc467c938e45033 

d602562ba7273695df9248a8590b510ccd49fefb97f5c75d485895abba13418d 

da7a959ae7ea237bb6cd913119a35baa43a68e375f892857f6d77eaa62aabbaf 

dda89e9e6c70ff814c65e1748a27b42517690acb12c65c3bbd60ae3ab41e7aca 

de31a4125eb74d0b7cbf2451b40fdb2d66d279a8b8fd42191660b196a9ac468f 

eaf5e26c5e73f3db82cd07ea45e4d244ccb3ec3397ab5263a1a74add7bbcb6e2 

f7a3a8734c004682201b8873691d684985329be3fcdba965f268103a086ebaad


You can use the following CLI command to search for all BianLian samples in our portal:

$ polyswarm link list -f BianLian

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports

Topics: Threat Bulletin, Ransomware, BianLian

PolySwarm Tech Team

Written by PolySwarm Tech Team

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More