Stung by Free Decryptor, Ransomware Group Embraces Extortion
Stung by Free Decryptor, Ransomware Group Embraces Extortion
BianLian Follows in Karakurt's Footsteps by Moving Away From Crypto-Locking Malware
Mathew J. Schwartz (euroinfosec) • March 22, 2023
facebook sharing button Sharetwitter sharing button Tweetlinkedin sharing button Share
Stung by Free Decryptor, Ransomware Group Embraces Extortion
Ransomware group BianLian, which takes its name from the ancient Chinese face-changing drama, has found a new face. (Image: Shutterstock)
Not all ransomware groups wield crypto-locking malware. In their continuing quest for extortionate profits, some have moved away from encryption and pressure victims purely by threatening to leak stolen data unless they receive a ransom payment.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
This seems to have been the case for BianLian, a prolific ransomware group that emerged in the summer of 2022. At that point, threat intelligence firm Cyble reported the group was known for executing rapid-encryption attacks, especially against the media and entertainment sectors, as well as healthcare, energy and utilities, among others.
The group's name refers to "bian lian" - an ancient Chinese dramatic art in which characters' faces change in the blink of an eye. It's apparently a reference to the speed of the group's encryption.
Czech cybersecurity firm Avast threw a wrench in the group's works in January by releasing a free decryptor for victims of the ransomware.
This didn't go unnoticed by BianLian. "If you have questions about Avast's decryptor, you need to know that for each company we create an unique key," the criminals said in a snarky, grammatically incorrect message posted to their site dedicated to naming victims and leaking stolen data. "Avast published their decrypt tool for build released at summer 2022. It will corrupt any files encrypted by another builds."
Whatever the criminals' claims, such decryptors can be good news for past victims, especially if they didn't pay a ransom.
After a free decryptor gets released, a ransomware group will typically update its crypto-locking malware and associated infrastructure to excise whatever vulnerability security researchers managed to exploit to crack their code and then continue to crypto-lock victims with abandon.
But Avast's decryptor seems to have led BianLian to seek fresh ways of monetizing a victim after hacking into its network, says threat intelligence firm Redacted.
"Rather than follow the typical double-extortion model of encrypting files and threatening to leak data, we have increasingly observed BianLian choosing to forgo encrypting victims' data and instead focus on convincing victims to pay solely using an extortion demand in return for BianLian's silence," Redacted reports.
"The group promises that after they are paid, they will not leak the stolen data or otherwise disclose the fact the victim organization has suffered a breach," it adds. "BianLian offers these assurances based on the fact that their 'business' depends on their reputation."
As Defenders Adapt, So Must Attackers
BianLian's search for a new face is a reminder that how ransomware groups make money isn't some preordained concept. As defenses evolve, so must attackers. The most successful ransomware operations tend to be the most adaptable.
This extortion-only business strategy isn't new. Many ransomware groups, whether or not they forcibly encrypt files, already charge a separate ransom in exchange for a promise to delete stolen data.
Before the notorious Conti group shut down in mid-2022, it launched a new subgroup called Karakurt, focused not on crypto-locking files but rather on monetizing data extortion. Security researchers said Conti appeared to be using the BazarLoader dropper to infect systems and install BazarBackdoor and then giving this backdoor remote access to those systems to Karakurt, so it could steal data and shake down victims.
Following in Karakurt's footsteps, BianLian has all the usual shakedown tricks up its sleeve, Redacted says. They include using telephone calls and emails to harass victims into paying as well as customizing communications to victims to try and highlight which regulations will get triggered if criminals dump their stolen data - for example, concerning the victim's customers.
Whatever promises attackers make about deleting stolen data, ransomware incident responders have long urged victims to never believe such assurances: Thieves lie. In addition, security experts can point to no known case ever in the history of cybercrime that involved a ransomware group having provably deleted stolen files (see: Ransom Realpolitik: Paying for Data Deletion Is for Suckers).
Unfortunately, many victims do still appear to be paying attackers simply for a promise to not leak stolen data.
Whether that will be the case with BianLian's new shakedown racket remains to be seen. If the group isn't reaching its desired level of profits, there's nothing to stop it from again embracing crypto-locking malware with abandon. It has changed its face once. What's to stop it from doing so again?
BianLian Follows in Karakurt's Footsteps by Moving Away From Crypto-Locking Malware
Mathew J. Schwartz (euroinfosec) • March 22, 2023
facebook sharing button Sharetwitter sharing button Tweetlinkedin sharing button Share
Stung by Free Decryptor, Ransomware Group Embraces Extortion
Ransomware group BianLian, which takes its name from the ancient Chinese face-changing drama, has found a new face. (Image: Shutterstock)
Not all ransomware groups wield crypto-locking malware. In their continuing quest for extortionate profits, some have moved away from encryption and pressure victims purely by threatening to leak stolen data unless they receive a ransom payment.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
This seems to have been the case for BianLian, a prolific ransomware group that emerged in the summer of 2022. At that point, threat intelligence firm Cyble reported the group was known for executing rapid-encryption attacks, especially against the media and entertainment sectors, as well as healthcare, energy and utilities, among others.
The group's name refers to "bian lian" - an ancient Chinese dramatic art in which characters' faces change in the blink of an eye. It's apparently a reference to the speed of the group's encryption.
Czech cybersecurity firm Avast threw a wrench in the group's works in January by releasing a free decryptor for victims of the ransomware.
This didn't go unnoticed by BianLian. "If you have questions about Avast's decryptor, you need to know that for each company we create an unique key," the criminals said in a snarky, grammatically incorrect message posted to their site dedicated to naming victims and leaking stolen data. "Avast published their decrypt tool for build released at summer 2022. It will corrupt any files encrypted by another builds."
Whatever the criminals' claims, such decryptors can be good news for past victims, especially if they didn't pay a ransom.
After a free decryptor gets released, a ransomware group will typically update its crypto-locking malware and associated infrastructure to excise whatever vulnerability security researchers managed to exploit to crack their code and then continue to crypto-lock victims with abandon.
But Avast's decryptor seems to have led BianLian to seek fresh ways of monetizing a victim after hacking into its network, says threat intelligence firm Redacted.
"Rather than follow the typical double-extortion model of encrypting files and threatening to leak data, we have increasingly observed BianLian choosing to forgo encrypting victims' data and instead focus on convincing victims to pay solely using an extortion demand in return for BianLian's silence," Redacted reports.
"The group promises that after they are paid, they will not leak the stolen data or otherwise disclose the fact the victim organization has suffered a breach," it adds. "BianLian offers these assurances based on the fact that their 'business' depends on their reputation."
As Defenders Adapt, So Must Attackers
BianLian's search for a new face is a reminder that how ransomware groups make money isn't some preordained concept. As defenses evolve, so must attackers. The most successful ransomware operations tend to be the most adaptable.
This extortion-only business strategy isn't new. Many ransomware groups, whether or not they forcibly encrypt files, already charge a separate ransom in exchange for a promise to delete stolen data.
Before the notorious Conti group shut down in mid-2022, it launched a new subgroup called Karakurt, focused not on crypto-locking files but rather on monetizing data extortion. Security researchers said Conti appeared to be using the BazarLoader dropper to infect systems and install BazarBackdoor and then giving this backdoor remote access to those systems to Karakurt, so it could steal data and shake down victims.
Following in Karakurt's footsteps, BianLian has all the usual shakedown tricks up its sleeve, Redacted says. They include using telephone calls and emails to harass victims into paying as well as customizing communications to victims to try and highlight which regulations will get triggered if criminals dump their stolen data - for example, concerning the victim's customers.
Whatever promises attackers make about deleting stolen data, ransomware incident responders have long urged victims to never believe such assurances: Thieves lie. In addition, security experts can point to no known case ever in the history of cybercrime that involved a ransomware group having provably deleted stolen files (see: Ransom Realpolitik: Paying for Data Deletion Is for Suckers).
Unfortunately, many victims do still appear to be paying attackers simply for a promise to not leak stolen data.
Whether that will be the case with BianLian's new shakedown racket remains to be seen. If the group isn't reaching its desired level of profits, there's nothing to stop it from again embracing crypto-locking malware with abandon. It has changed its face once. What's to stop it from doing so again?