BianLian ransomware crew goes 100% extortion after free decryptor lands • The Register

/in


The BianLian gang is ditching the encrypting-files-and-demanding-ransom route and instead is going for full-on extortion.

Cybersecurity firm Avast’s release in January of a free decryptor for BianLian victims apparently convinced the miscreants that there was no future for them on the ransomware side of things and that pure extortion was the way to go.

“Rather than follow the typical double-extortion model of encrypting files and threatening to leak data, we have increasingly observed BianLian choosing to forgo encrypting victims’ data and instead focus on convincing victims to pay solely using an extortion demand in return for BianLian’s silence,” threat researchers for cybersecurity company Redacted wrote in a report.

A growing number of ransomware groups are shifting to relying more on extortion than data encryption. However, it seems the impetus for this gang’s move was that Avast tool.

When the security shop rolled out the decryptor, the BianLian group in a message on its leak site boasted that it created unique keys for each victim, that Avast’s decryption tool was based on a build of the malware from the summer of 2022, and that it would terminally corrupt files encrypted by other builds.

The message has since been taken down and BianLian changed some of its tactics. That includes not only moving away from ransoming the data, but also how the attackers post masked details of victims on their leak site to prove they have the data in hand in hopes of further incentivizing victims to pay.

Masking victim details

That tactic was in their arsenal before the decryptor tool was available, but “the group’s use of the technique has exploded after the release of the tool,” Redacted researchers Lauren Fievisohn, Brad Pittack, and Danny Quist, director of special projects, wrote.

Between July 2022 and mid-January, BianLian posted masked details accounted for 16 percent of the postings to the group’s leak site. In the two months since the decryptor was released, masked victim details were in 53 percent of the postings. They’re also getting the masked details up on the leak site even faster, sometimes within 48 hours of the compromise.

The group also is doing its research…

Source…