Faced with BianLian ransomware, Avast offers its free decryption tool

Avast announced that it has developed a free decryption tool for BianLian ransomware victims. This is now available for download.

However, the researchers specify that this solution is only reserved for victims of an already known variant of the ransomware. They give leads for those who would be affected by a new version.

Ransomware detected in 2022

If the infrastructure associated with BianLian appeared in December 2021, according to researchers from [redacted]it was around the summer of 2022 that the group’s activities multiplied and the ransomware was thus detected, as highlighted in a report by Cyble published in August 2022. BianLian has a particularity: it is written in Go, a programming language created by Google employees and increasingly popular with ransomware operators for its ability to quickly encrypt targeted systems.

In October 2022, BlackBerry researchers indicated that at least 23 companies had been victims of the ransomware. BianLian particularly targets English-speaking countries, which suggests a financial motivation rather than a political one, and the companies affected come from several industries: financial services, education, health, banks, insurance, energy, construction, but also entertainment. The criminals behind BianLian opted for the principle of double extortion. In addition to encrypting the data, they indicate in their ransom note that they have recovered it and threaten to publish it within 10 days in the absence of payment.

But if hackers are technically advanced enough, [redacted] note that they seem fairly new to ransomware. They sometimes make mistakes in the data sent to their victims, the ransom note has changed several times in a few months, and their infrastructure is not always reliable. So it would seem that BianLian is a brand new group that is not descended from a defunct ransomware group.

A still imperfect decryption tool

A few months after BianLian’s activities multiplied, Avast released a decryption tool for victims to find their data without having to pay the criminals. However, the tool remains limited, since it is only able to decrypt files infected with a known variant of ransomware.

For others, Avast recommends trying to find the ransomware file on their PC, including looking for an executable in a folder that shouldn’t contain one. The company gives several examples of common BianLian file names and locations:

• C:WindowsTEMPmativ.exe
• C:WindowsTempAreg.exe
• C:Users%username%Pictureswindows.exe
• anabolic.exe

Problem, the ransomware deletes itself after encrypting the files. So it can be difficult for victims to retrieve it and send it to Avast if necessary. Full details about the decryption tool and instructions for using it can be found on the company’s website.

Sources: [redacted], Cyble, BlackBerry, Avast