New 'BianLian' Ransomware Variant on the Rise

Cybercriminals are swarming to deploy an emerging ransomware variant called BianLian that was written in Go, the Google-created open source programming language.

BianLian has been rising popularity since it was first outed in mid-July, according to researchers at Cyble Research Labs, which published details on their study of the ransomware in a blog post last week. Threat actors so far have cast a wide net with the novel BianLian malware, which counts organizations in media and entertainment; manufacturing; education; healthcare; and banking, financial services, and insurance (BFSI) among its victims so far.

Specifically, the media and entertainment sector has taken the brunt of BianLian attacks, with 25% of victims in this industry so far, and 12.5% each in the professional services, manufacturing, healthcare, energy and utilities, and education sectors, according to Cyble.

Attackers using BianLian typically demand unusually high ransoms, and they utilize a unique encryption style that divides the file content into chunks of 10 bytes to evade detection by antivirus products, the researchers said. "First, it reads 10 bytes from the original file, then encrypts the bytes and writes the encrypted data into the target file," the Cybel researchers wrote in the post.

BianLian's operators also use double-extortion methods, threatening to leak key stolen data — such as financial, client, business, technical, and personal files — online if ransom demands aren't met within 10 days. They maintain an onion leak site for this purpose.

How the Ransomware Variant Works

BianLian functions similarly to other ransomware types in that it encrypts files once it infects a targeted system and sends a ransomware note to its victims letting them know how to contact the operators.

Upon execution of the ransomware, BianLian attempts to identify if the file is running in a WINE environment by checking the wine_get_version() function via the GetProcAddress() API, the researchers said. Then, the ransomware creates multiple threads using the CreateThread() API function to perform faster file encryption, which also makes reverse engineering the malware more difficult, they said.

The malware then identifies the system drives (from A:\ to Z:\) using the GetDriveTypeW() API function and encrypts any files available in the connected drives before dropping its ransomware note, the researchers said.

BianLian also is notable in that uses Go as its foundational language, giving threat actors more flexibility in both developing and deploying the malware, the researchers said. "We have seen many threats developed using the Go language, such as Ransomware, RAT, Stealer, etc.," they wrote.

Go's cross-platform capability enables a single codebase to be compiled into all major operating systems. This makes it easy for threat actors — such as the ones behind BianLian — to make constant changes and add new capabilities to a malware to avoid detection, the researchers said.

Other cyber threats written in the so-called GoLang that have been active in the past year include a botnet called Kraken that recently resurfaced, as well as Blackrota, a heavily obfuscated backdoor.

While increased efforts by international law enforcement to crack down on the actors behind major cybercriminal groups has had some impact on ransomware, new threat operators and ransomware variants have perennially risen to replace now-defunct ones.

Cyble reiterated in its blog post some best practices for ransomware defense: running regular, offline backups; keeping device software updated, ideally using automatic software updates; running anti-malware software on devices; and avoiding opening any suspicious or unknown links and attachments.