The BianLian ransomware group has shifted its focus from encrypting its victims’ files to exfiltrating data found on compromised networks and using it for extortion purposes.

This operational development in BianLian was reported by the cybersecurity firm Redactedwho saw signs that the threatening group was trying to develop their extortion skills and increase the pressure on the victims.

BianLian is a ransomware operation that first appeared in the wild in July 2022managing to break into several top organizations.

In January 2023, Avast has released a free decryptor to help victims recover files encrypted by the ransomware.

Recent BianLian attacks

Redacted reports that BianLian operators have retained their initial access and lateral movement techniques and continue to deploy a custom Go-based backdoor that gives them remote access to the compromised device, albeit a slightly improved from it.

Threat actors post their victims in masked form as quickly as 48 hours after the breach on their extortion site, giving them around ten days to pay the ransom.

As of March 13, 2023, BianLian had listed a total of 118 victim organizations on its extortion portal, with the vast majority (71%) being US-based companies.

The main difference observed in recent attacks is that BianLian attempts to monetize its breaches without encrypting the victim’s files. Instead, it now relies solely on the threat to release the stolen data.

“The group promises that after being paid, it will not disclose the stolen data or otherwise disclose the fact that the victim organization has suffered a breach. BianLian offers these assurances on the basis that their “business” depends on their reputation,” Redacted in the report.

“In several instances, BianLian referenced legal and regulatory issues a victim would face if it became public knowledge that the organization had suffered a breach. The group also went so far as to include specific references to paragraphs in several laws and statutes.

Redacted found that in many cases, legal references made by BianLian operators were applicable in the victim’s region, indicating that threat actors hone their extortion skills by analyzing a victim’s legal risks. to make strong arguments.

It is unclear whether BianLian abandoned the encryption tactic because Avast broke its encryptor or because this event helped them realize that they did not need this part of the attack chain to extort the victims to pay ransoms.

It’s worth mentioning that when Avast released its free decryptor, BianLian downplayed its significance, claiming that it would only work on early “Summer 2022” versions of the ransomware and corrupt files encrypted by all later versions.

Extortion without encryption

File encryption, data theft, and the threat of leaking stolen files are known as the “double extortion” tactic, which serves as an additional form of coercion for ransomware gangs seeking to increase pressure on their victims.

However, thanks to the natural exchange between threat actors and victims, ransomware gangs have realized that, in many cases, leaking sensitive data is an even stronger incentive for victims to pay.

This gave rise to ransomware operations without encryption such as end Babuk And Snap™and extortion operations that claim not to engage in file encryption themselves (or at all), like RansomHouse, donutAnd Karakurt.

Yet, most ransomware groups continue to use encryption payloads in their attacks, as the business interruptions caused by encryption devices put even greater pressure on many victims.