Verticals Targeted: Professional Services, Media and Entertainment, Manufacturing, Healthcare, Energy and Utilities, Education, Financial
Cyble recently reported on BianLian, a new ransomware variant written in Go. It has been used to target multiple verticals.
- BianLian is a ransomware family written in Go.
- BianLian uses multiple techniques to thwart detection and reverse engineering.
- BianLian threat actors use a double extortion tactic, threatening to leak victim data if the ransom is not paid.
BianLian ransomware, written in Go, was first discovered in July 2022. It has been used to target multiple verticals, including professional services, media and entertainment, manufacturing, healthcare, energy and utilities, education, and financial.
When BianLian is executed, it checks whether it is running in a WINE environment. It then uses the CreateThread() API function to create multiple threads, complicating attempts at reverse engineering. BianLian then uses the GetDriveTypeW() API to find system drives A:\ to Z:\ and encrypts files on the discovered drives. The following files, extensions, and folders are not encrypted: .exe, .dll, .sys, .txt, .lnk, .html, bootmgr, BOOTNXT, pagefile.sys, thumbs.db, ntuser.dat, swapfile.sys, Windows, and Windows.old.
BianLian uses the crypto/cipher, crypto/aes, and crypto/rsa GoLang packages for encryption. During the encryption process, the ransomware divides files into 10 byte chunks. Using data chunking in the encryption process helps thwart detection by antivirus. Encrypted files are appended with the .bianlian extension.
BianLian drops a ransom note named Look at this instruction.txt in folders containing encrypted files. The ransom note instructs victims on how to contact the threat actors. The threat actors use a double extortion technique, threatening to leak stolen files if the ransom is not paid within ten days. Following the encryption process, BianLian deletes itself from the system.
PolySwarm has multiple samples of BianLian.
You can use the following CLI command to search for all BianLian samples in our portal:
$ polyswarm link list -f BianLian
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at email@example.com | Check out our blog | Subscribe to our reports