Avast researchers released a free BianLian ransomware decryptor for some variants of the malware

Antivirus firm Avast released a free decryptor for the BianLian ransomware family that allows victims to recover locked files.

Security firm Avast has released a free decryptor for the BianLian ransomware to allow victims of the malware to recover locked files.

The BianLian ransomware emerged in August 2022, the malware was employed in attacks against organizations in various industries, including manufacturing, media and entertainment, and healthcare.

Security experts noticed that the Go-based ransomware was able to encrypt files at high speeds.

Upon its execution, BianLian searches all available disk drives (from A: to Z:) and all files to encrypt. The malware targets 1013 extensions that are hardcoded in the ransomware binary. 

The experts pointed out that the ransomware encrypts a portion of the files that starts from a fixed file offset, which is hardcoded in the binary. The experts noticed that the offset differs per sample. 

Once encrypted a file, the ransomware appends the .bianlian extension and drops a ransom note (instruction.txt) into each folder.

Upon completing the encryption process, the ransomware deletes itself by executing the following command: 

cmd /c del <sample_exe_name> 

The decryptor released by the experts only works with a known variant of the BianLian ransomware.

“For new victims, it may be necessary to find the ransomware binary on the hard drive; however, because the ransomware deletes itself after encryption, it may be difficult to do so.” reads the post published by Avast. “According to Avast telemetry, common names of the BianLian ransomware file on the victim’s PC include: 

• C:\Windows\TEMP\mativ.exe
• C:\Windows\Temp\Areg.exe
• C:\Users\%username%\Pictures\windows.exe
• anabolic.exe

When searching for the ransomware binary, we recommend looking for an EXE file in a folder which doesn’t typically contain executables, such as %temp%, Documents or Pictures. It is also recommendable to check the virus vault of your antivirus. The typical size of the BianLian ransomware executable is around 2 MB.”

Avast researchers state that future releases of the decryptor will be able to recover files encrypted by newer versions.

Like other decryptors the BianLian ransomware one is available as a standalone executable.

The decryptor also allows users with a valid decryption password and to back up encrypted files to data loss.

For questions or comments about the Avast decryptor, email decryptors@avast.com.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]