The BianLian gang has abandoned its strategy of encrypting files and demanding a ransom in favour of outright extortion.
Avast, a cybersecurity company, released a free decryptor for BianLian victims in January, which appears to have persuaded the criminals that extortion was the only viable option rather than the ransomware business.
Threat analysts for cybersecurity firm Redacted stated in a report that BianLian is increasingly choosing to forgo encrypting victims' data and instead concentrate on persuading victims to pay solely using an extortion demand in exchange for BianLian's silence, as opposed to the typical double-extortion model of encrypting files and threatening to leak data.
Several ransomware organisations are starting to depend less on data encryption and more on extortion. Yet, it appears that that Avast tool served as the catalyst for this gang's action.
The BianLian group boasted that it generated unique keys for each victim in a message posted on its leak site when the security company released the decryptor. They also claimed that Avast's decryption tool was based on a build of the malware from the summer of 2022 and that it would fatally corrupt files encrypted by other builds.
Since then, the message has been deleted, and BianLian has modified some of its strategies. That includes abandoning the practise of holding the data ransom and the attackers' practise of revealing victim information on their leak site while hiding their identities in an effort to further persuade the victims to pay.
Concealing victim data
Before the decryptor tool became accessible, they had this strategy in their toolbox, but "the group's use of the technique has exploded with the release of the programme," Redacted researchers Lauren Fievisohn, Brad Pittack, and Danny Quist, director of special projects, noted.
BianLian contributed 16% of the postings to the group's leak site between July 2022 and mid-January by posting concealed details. Masked victim details were present in 53% of the postings in the two months following the decryptor's publication. Even faster, often within 48 hours of the compromise, they are posting the masked details on the leak site.
In order to put more pressure on the groups, the group is also doing research and increasingly customising its messages to the victims. Several of the messages made mention of the legal and regulatory concerns that businesses would face if a data breach became public, with the rules mentioned appearing to be those that apply to the victim's country of residence.
"With this shift in tactics, a more reliable leak site, and an increase in the speed of leaking victim data, it appears that the previous underlying issues of BianLian's inability to run the business side of a ransomware campaign appear to have been addressed," the researchers added. "Unfortunately, these improvements in their business acumen are likely the result of gaining more experience through their successful compromise of victim organizations."
Expanding influence
The BianLian gang first appeared in July 2022 and quickly established itself as a serious danger, notably to the IT, engineering, and healthcare sectors, with healthcare accounting for 14 percent of the group's victims (9 percent). As on March 13, the criminals' leak site named 118 victims, according to Redacted.
The US accounts for about 71 percent of those victims.
The malware is built in Go, one of the more recent languages that hackers are using, along with Rust, to escape endpoint security software, avoid detection, and conduct numerous calculations at once.
The ransomware gang is maintaining its consistency with regard to initial access and lateral movement within a victim's network even though some of its strategies have changed. The bespoke Go-based backdoor has undergone certain modifications, but its fundamental functioning has not changed, according to the research.
The researchers wrote that Redacted, which has been tracking BianLian since last year, is also getting a view of the close relationship between the backdoor deployment and the command-and-control (C2) server, which suggests that "by the time a BianLian C2 is discovered, it is likely that the group has already established a solid foothold into a victim's network."
Each C2 server is active for roughly two weeks when it is brought online by the threat group, which deploys almost 30 new C2 servers each month.