Security software company Avast has released a free decryptor for the BianLian ransomware strain to help victims of the malware recover locked files without paying hackers.

The availability of a decryptor comes only about six months after BianLian ransomware activity spiked in the summer of 2022, when the threat group breached several prominent organizations.

Avast’s decryption tool can only help victims attacked by a known variant of BianLian ransomware.

If the hackers are using a new version of the malware that researchers haven’t detected yet, the tool is of no use at this time.

However, Avast says the BianLian decryptor is a work in progress, and the ability to unlock more strains will be added shortly.

BianLian ransomware

BianLian (not to be confused with the Android banking Trojan of the same name) is a Go-based ransomware strain targeting Windows systems.

It uses AES-256 symmetric algorithm with CBC encryption mode to encrypt more than 1013 file extensions on all accessible drives.

The malware performs intermittent encryption on the victim’s files, a tactic that allows attacks to be accelerated at the expense of data locking strength.

The encrypted files are given the “.bianlian” extension while the generated ransom note warns the victims that they have ten days to respond to the hacker’s demands or their private data will be published on the gang’s data leak site.

For more details on how BianLian ransomware works, see this SecurityScoreCard report on the strain published in December 2022.

BianLian ransom note
BianLian ransom note (avast)

Avast decryptor

The BianLian ransomware decryptor is available for free and the program is a standalone executable that does not require installation.

Users can select the location they wish to decrypt and provide the software with an original/encrypted file pair.

Adjust decryption settings
Adjust decryption settings (Computer Beep)

There is also an option for users with a valid decryption password, but if the victim does not have one, the software can still attempt to figure it out by going through all known BianLian passwords.

Decryptrr crack BianLian password
Decryptor cracking BianLian password (avast)

The decryptor also provides an option to save encrypted files to avoid irreversible data loss if something goes wrong during the process.

Those attacked by new versions of BianLian ransomware will need to locate the ransomware binary on the hard drive, which could contain data that can be used to decrypt locked files.

Avast says some common filenames and locations for BianLian are:

  • C:\Windows\TEMP\mativ.exe
  • C:\Windows\Temp\Areg.exe
  • C:\Users\%username%\Pictures\windows.exe
  • anabolic.exe

However, since the malware removes itself after the file encryption phase, victims are unlikely to find these binaries on their systems.

Those who manage to recover the BinaLian binaries are asked to send them to “” to help Avast improve its decryptor.

Source link