Cybercriminals are preparing to deploy a new ransomware variant BianLian created with Google’s open-source programming language, Go. Cyble Research Labs shared an in-depth report on the ransomware on August 18, 2022, breaking down its first appearance, capabilities, and how it was discovered.
The report also elaborated on the popularity of ransomware attacks among TAs (Threat Actors) due to its ability to work on cross-platforms, making it more destructive than its counterparts.
BianLian gained traction in Mid 2022
A BianLian x64 ransomware sample: eaf5e26c5e73f3db82cd07ea45e4d244ccb3ec3397ab5263a1a74add7bbcb6e2
So it is another Go ransomware.
😂
"jack/Projects/project1/crypt28" pic.twitter.com/5mb8GScvGO— MalwareHunterTeam (@malwrhunterteam) August 11, 2022
BianLian may not be an old ransomware as its activities were discovered as early as July this year. Researchers believe that the malware is still in the development and trial phase. However, it is being used on a large scale by a wide novelty of TAs, especially those targeting industries like manufacturing, education, healthcare and banking, financial services, and insurance (BFSI).
According to the report, the ransom has a diversified coverage of its targets, with 25% being in the media and entertainment, 12.5% in each in manufacturing, healthcare, energy and utilities, and education sectors.
How did Cyble Research Labs find BianLian?
During one of their daily threat-hunting exercises, the researchers at Cyble Research Labs came across a Twitter post about a Go-based ransomware called “BianLian,” which was first identified in July 2022.
So far, the ransomware has claimed nine victims from multiple industries — manufacturing, education, healthcare, BFSI, etc. The perpetrator behind the malware demanded a large sum of money in extortion and used a relatively new method for the attacks.
Cyble Research Labs stated that the ransomware used a unique encryption style, which included dividing the files and their content into chunks of 10 bytes to evade detection.
Like all the major ransomware attacks in the last five years, BianLian’s operators used double-extortion methods that include threatening the victims to leak the stolen data and limiting ten days for the victims to pay the ransom amount.
How does the BianLian Ransomware Variant Works?
BianLian uses encryption to target files on the system and sends a ransomware note to the victims. Once installed, the ransomware checks if the file runs in a WINE environment using the wine_get_version() function via the GetProcAddress() API.
On finding a vulnerability within the files, it creates multiple threads using the CreateThread() API function to encrypt files. Once injected into a particular system, the malware identifies system files from all the hard drives using the GetDriveTypeW() API function and encrypts the relevant files before dropping a ransomware note to the victims.
Additionally, as BianLian is made in Go, it enables the users to use a single codebase, which can be compiled into all the major operating systems. This feature allows the perpetrators to constantly change, upgrade and add new capabilities to malware to hinder detection, which makes it more cunning than the standard ransomware.
