The BianLian gang has ditched the file encryption and demanding ransom route and instead gone for outright extortion.
Cyber Security Company Avast’s release In January, a free decryption tool was released for BianLian victims, apparently convincing the bad guys that the ransomware had no future and only pure extortion.
“Instead of following the typical double extortion model of encrypting files and threatening to leak data, BianLian stopped encrypting victims’ data and instead offered only extortion demands in exchange for BianLian’s silence. “We have observed an increasing focus on persuading victims to pay using report.
A growing number of ransomware groups shift Rely on extortion rather than data encryption. However, the driving force behind this gang move appears to have been the Avast tool.
When the security shop released the decryptor, the BianLian group said in a message on the leak site that it created a unique key for each victim, that Avast’s decryption tool was based on a malware build from summer 2022, and other builds will eventually corrupt encrypted files.
The message has since been deleted and BianLian has changed some of his tactics. This involves not only avoiding ransom demands for the data, but also having the data in hand, in hopes that the attackers will mask the victim’s details and post them on the leaked site, encouraging the victim to pay. It also includes how to prove
Mask Victim Details
The tactic was in the arsenal before the availability of the decryption tool, but “the group’s use of the technique exploded after the tool’s release,” says researcher Lauren, edited. Phoevison, Brad Pitak and Special Projects Director Danny Quist write.
Between July and mid-January 2022, BianLian posted masked details that accounted for 16% of posts on the group’s leak site. Two months after the decryptor was released, 53% of the posts contained masked victim details. They are also uploading the masked details to the leaked site even faster, sometimes within 48 hours of the breach.
The group is also conducting investigations and increasingly tailoring its messages to victims to increase pressure on the organization. Some messages refer to legal and regulatory issues that organizations face if a data breach becomes public, and the laws mentioned seem to correspond to the jurisdictions where the victims are located. I can see it.
“This change in tactics, more reliable exfiltration sites, and increased exfiltration rate of victim data appear to have resolved the previous underlying problem of BianLian’s inability to execute the business side of its ransomware campaign. It looks like,” wrote the researcher. “Unfortunately, their improved business acumen may be the result of more experience gained from successful infiltration of victim organizations.”
increase presence
The BianLian gang hacked in July 2022, specifically in healthcare (14%, the sectors most affected by this group), education, engineering (both 11%), and IT (9%). As of March 13, the rogue had listed his 118 victims on the leak site, according to Redacted.
About 71% of these victims are in the United States.
This malware is written in Go. Go is one of the new languages like Rust that cybercriminals are adopting to evade detection, evade endpoint protection tools, and perform multiple computations simultaneously.
BianLian has changed some of its tactics, but remains consistent in terms of initial access and lateral movement through the victim’s network. The Go-based custom backdoor has some minor tweaks, but the report shows that the core functionality remains the same.
Redacted, which has been tracking BianLian since last year, has also seen a tight coupling between backdoor deployment and command and control (C2) servers. This is because “by the time BianLian C2 is discovered, the group likely has already established a solid foothold in the victim’s network,” the researchers wrote.
This threat group brings approximately 30 new C2 servers online each month. Each C2 server remains online for about two weeks.
As for who BianLian is, Redacted researchers write that they have “a working theory based on some promising indicators,” but they’re not ready to say for sure.®
