Security researchers at Cyble have recently published a report regarding a new ransomware variant named: BianLian. This variant is written in the programming language “Go” and has seen an increase in popularity among Threat actors due to its cross-platform functionalities and evasive techniques. BianLian has been used to target several well-known organizations spanning across multiple industries such as Manufacturing, Education, Healthcare, BFSI, etc.
This variant includes features that make it more dangerous and destructive than most ransomware used by threat actors. The BianLian sample analyzed attempts to evade sandbox detection and creates many threads to encrypt files faster and make reverse engineering more difficult. Files encrypted by the ransomware have the distinctive “.bianlian” extension. This variant replaces all files on the system with their encrypted counterparts, causing recovery efforts to be more challenging. The malware then creates a ransom note on the victim’s desktop before deleting itself off the device.
The ransom note is pretty standard among other ransomware variants as it typically requests a large sum of cryptocurrency and provides an .onion URL to contact the threat actors. Threat actors deploying this ransomware typically warn victims all sensitive data will be published online if the ransom is not paid within 10 days.
As a result, Ascend Technologies has pushed the detection ability of the known IOCs across our EDR, SIEM, and anti-malware platforms. These IOCs include IPs and hash values which will give us the ability to detect and alert. As is the case with most malware, end users are targeted which makes maintaining a robust security posture highly important, including end-user training, to develop safe and secure internet browsing habits.