Tag Archive for: Decryptor

Stung by Free Decryptor, Ransomware Group Embraces Extortion

/in


Fraud Management & Cybercrime
,
Ransomware

BianLian Follows in Karakurt’s Footsteps by Moving Away From Crypto-Locking Malware

Mathew J. Schwartz
(euroinfosec)


March 22, 2023    

Stung by Free Decryptor, Ransomware Group Embraces Extortion
Ransomware group BianLian, which takes its name from the ancient Chinese face-changing drama, has found a new face. (Image: Shutterstock)

Not all ransomware groups wield crypto-locking malware. In their continuing quest for extortionate profits, some have moved away from encryption and pressure victims purely by threatening to leak stolen data unless they receive a ransom payment.

See Also: How to Use Risk Scoring to Propel Your Risk-Based Vulnerability Management Program Forward


This seems to have been the case for BianLian, a prolific ransomware group that emerged in the summer of 2022. At that point, threat intelligence firm Cyble reported the group was known for executing rapid-encryption attacks, especially against the media and entertainment sectors, as well as healthcare, energy and utilities, among others.


The group’s name refers to “bian lian” – an ancient Chinese dramatic art in which characters’ faces change in the blink of an eye. It’s apparently a reference to the speed of the group’s encryption.


Czech cybersecurity firm Avast threw a wrench in the group’s works in January by releasing a free decryptor for victims of the ransomware.


This didn’t go unnoticed by BianLian. “If you have questions about Avast’s decryptor, you need to know that for each company we create an unique key,” the criminals said in a snarky, grammatically incorrect message posted to their site dedicated to naming victims and leaking stolen data….

Source…

BianLian ransomware crew goes 100% extortion after free decryptor lands • The Register

/in


The BianLian gang is ditching the encrypting-files-and-demanding-ransom route and instead is going for full-on extortion.

Cybersecurity firm Avast’s release in January of a free decryptor for BianLian victims apparently convinced the miscreants that there was no future for them on the ransomware side of things and that pure extortion was the way to go.

“Rather than follow the typical double-extortion model of encrypting files and threatening to leak data, we have increasingly observed BianLian choosing to forgo encrypting victims’ data and instead focus on convincing victims to pay solely using an extortion demand in return for BianLian’s silence,” threat researchers for cybersecurity company Redacted wrote in a report.

A growing number of ransomware groups are shifting to relying more on extortion than data encryption. However, it seems the impetus for this gang’s move was that Avast tool.

When the security shop rolled out the decryptor, the BianLian group in a message on its leak site boasted that it created unique keys for each victim, that Avast’s decryption tool was based on a build of the malware from the summer of 2022, and that it would terminally corrupt files encrypted by other builds.

The message has since been taken down and BianLian changed some of its tactics. That includes not only moving away from ransoming the data, but also how the attackers post masked details of victims on their leak site to prove they have the data in hand in hopes of further incentivizing victims to pay.

Masking victim details

That tactic was in their arsenal before the decryptor tool was available, but “the group’s use of the technique has exploded after the release of the tool,” Redacted researchers Lauren Fievisohn, Brad Pittack, and Danny Quist, director of special projects, wrote.

Between July 2022 and mid-January, BianLian posted masked details accounted for 16 percent of the postings to the group’s leak site. In the two months since the decryptor was released, masked victim details were in 53 percent of the postings. They’re also getting the masked details up on the leak site even faster, sometimes within 48 hours of the compromise.

The group also is doing its research…

Source…

Hospital for Sick Children says it’s ‘aware’ of online statement offering free decryptor

/in


Toronto

The Hospital for Sick Children says it is aware of an online statement from a ransomware group that offers a decryptor to restore systems impacted by a mid-December cybersecurity incident.

Ransomware group has offered a decryptor to restore systems affected by cybersecurity incident

The Canadian Press ·

The Hospital for Sick Children (SickKids Hospital) at the end of November 2022. SickKids says it’s aware of an online statement from a ransomware group that offers a decryptor to restore systems impacted by a cybersecurity incident. (Michael Wilson/CBC)

The Hospital for Sick Children says it is aware of an online statement from a ransomware group that offers a decryptor to restore systems impacted by a mid-December cybersecurity incident.

Canada’s largest pediatric health-care centre said in a news release issued Sunday evening that the statement includes “an offer of a free decryptor” after some of its systems were impacted by a ransomware attack on Dec. 18.

The hospital says it has engaged “third-party experts to validate and assess the use of the decryptor” mentioned in the statement.

The hospital had said after the attack that it had delayed lab and imaging results and it could lead to longer wait times, noting that some of its systems could be offline for weeks.

The hospital had said at the time that it was unable to provide details about the nature of the attack, calling it an “active and ongoing incident.”

SickKids said in the Sunday statement that it has restored “over 60 per cent of priority systems” as of Jan. 1 and has not made a ransomware payment.

It said there is no evidence to date that personal information was affected by the attack.

Corrections and clarifications|Submit a news tip|

Source…

New Fonix ransomware decryptor can recover victim’s files for free

/in


decryptor

Kaspersky has released a decryptor for the Fonix Ransomware (XONIF) that allows victims to recover their encrypted files for free.

Fonix Ransomware, also known as Xinof and FonixCrypter, launched in June 2020 but increased its number of victims significantly starting in November 2020.

Last Friday, one of the Fonix ransomware admins tweeted that they have shut down the ransomware operation and released the master decryption key.

“I’m one fonix team admins.
you know about fonix team but we have come to the conclusion.
we should use our abilities in positive ways and help others.
Also rans0mware source is completely deleted, but some of team members are disagree with closure of the project, like telegram channel admin who trying to scam people in telegram channel by selling fake source and data.
Anyway now main admin has decided to put all previous work aside and decrypt all infected systems at no cost.”  – FonixTeam

The Fonix ransomware admin told BleepingComputer that they had encrypted approximately 5,000 to 6,000 systems throughout its operation.

Soon after they shared the decryption, Michael Gillespie confirmed with BleepingComputer that the key was valid and could be used to decrypt a victim’s files.

Decrypting the FonixRansomware

The good news is that if you have been infected with the FonixRansomware, you can now decrypt your files for free using an updated version of Kaspersky’s RakhniDecryptor.

Download the decryptor to a device with encrypted files and start the program. You will be asked to agree to a license agreement, and the main interface will appear, as shown below.

RakhniDecryptor
RakhniDecryptor

When you are ready to decrypt your files, click on the Start Scan button, and the decryptor will ask you to select an encrypted file.

Once selected, the decryptor will look for your decryption key, and when found, begin to decrypt your files. BleepingComputer has tested the decryptor on an encrypted computer, and as you can see below, was able to decrypt the files.

Decrypting files
Decrypting files

After you have decrypted your files and determined that they are opening correctly, you can delete the leftover encrypted files.

For those who need help getting started using the decryptor, please read this…

Source…