{
	"id": "7c72cb58-c33c-4d72-9296-b8497a109aea",
	"created_at": "2026-04-06T00:21:10.864511Z",
	"updated_at": "2026-04-10T13:12:25.280185Z",
	"deleted_at": null,
	"sha1_hash": "488235bc5348768d17c4fe0d6829a74670c8d5f7",
	"title": "Cyble - BianLian: New Ransomware Variant On The Rise",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1420617,
	"plain_text": "Cyble - BianLian: New Ransomware Variant On The Rise\r\nPublished: 2022-08-18 · Archived: 2026-04-05 19:42:06 UTC\r\nCyble analyzes BianLian Ransomware and the increasing popularity of GoLang amongst Threat Actors.\r\nGoLang-based Ransomware targets multiple industries\r\nCyble Research Labs has observed that malware written in the programming language “Go” has recently been\r\npopular among Threat Actors (TAs). This is likely due to its cross-platform functionalities and the fact that it\r\nmakes reverse engineering more difficult. We have seen many threats developed using the Go language, such as\r\nRansomware, RAT, Stealer, etc.  \r\nDuring our routine threat-hunting exercise, we came across a Twitter post about a ransomware variant written in\r\nGo named “BianLian,” which was first identified halfway through July 2022.\r\nWorld's Best AI-Native Threat Intelligence\r\nThe ransomware has targeted many well-known organizations (9 victims so far) across several industry\r\nsectors such as Manufacturing, Education, Healthcare, BFSI, etc. In the figure below, we have prepared a\r\nbreakdown of the industries targeted by the BianLian ransomware.\r\nhttps://blog.cyble.com/2022/08/18/bianlian-new-ransomware-variant-on-the-rise/\r\nPage 1 of 9\n\nFigure 1 – Industries Targeted by the BianLian Ransomware\r\nTechnical Analysis\r\nWe have taken the below sample hash for the purposes of this analysis:\r\n(SHA256), eaf5e26c5e73f3db82cd07ea45e4d244ccb3ec3397ab5263a1a74add7bbcb6e2, which is a 64-bit\r\nGoLang binary executable.\r\nThe unique build ID of the GoLang ransomware is shown below.\r\nFigure 2 – Go Build ID\r\nUpon execution of the ransomware, it attempts to identify if the file is running in a WINE environment by\r\nchecking the wine_get_version() function via the GetProcAddress() API.\r\nhttps://blog.cyble.com/2022/08/18/bianlian-new-ransomware-variant-on-the-rise/\r\nPage 2 of 9\n\nFigure 3 – Anti-analysis Technique\r\nThen, the ransomware creates multiple threads using the CreateThread() API function to perform faster file\r\nencryption, making reverse engineering the malware more difficult. The below figure shows the multiple threads\r\ncreated by the ransomware.\r\nFigure 4 – Multiple Thread Creation\r\nNext, the malware identifies the system drives (from A:\\ to Z:\\) using the GetDriveTypeW() API function and\r\nencrypts any files available in the connected drives. Then, the malware drops a ransom note in multiple folders\r\nwith the file name “Look at this instruction.txt.”\r\nThe ransomware creates a ransom note with the content shown below.\r\nFigure 5 – Malware Writing Ransom Notes\r\nAfter dropping the ransom note, the malware searches files and directories for encryption by enumerating them\r\nusing the FindFirstFileW() and FindNextFileW() API functions.\r\nThe ransomware excludes the below file extensions and file/folder names from encryption.\r\nFile extension .exe, .dll, .sys, .txt, .lnk and .html\r\nFile names bootmgr, BOOTNXT, pagefile.sys, thumbs.db, ntuser.dat and swapfile.sys\r\nhttps://blog.cyble.com/2022/08/18/bianlian-new-ransomware-variant-on-the-rise/\r\nPage 3 of 9\n\nFolder names Windows, Windows.old\r\nThe ransomware usesGoLang Packages such as “crypto/cipher,” “crypto/aes” and “crypto/rsa”  for file\r\nencryption on the victim machine.\r\nFigure 6 – Hardcoded Strings of “Crypto” GoLang Packages\r\nFor encryption, the malware divides the file content into 10 bytes chunks. First, it reads 10 bytes from the original\r\nfile, then encrypts the bytes and writes the encrypted data into the target file. Dividing the data into small chunks\r\nis a method to evade detection by Anti-Virus products.\r\nThe figure below shows the code snippet of the encryption loop and the original and infected file content before\r\nand after encryption.\r\nhttps://blog.cyble.com/2022/08/18/bianlian-new-ransomware-variant-on-the-rise/\r\nPage 4 of 9\n\nFigure 7 – Encryption routine and Original/Encrypted file content\r\nIn the next step, the malware renames the encrypted files with the “.bianlian” extension and replaces them with the\r\noriginal file using the MoveFileExW() API function, as shown below.\r\nFigure 8 – MoveFileExW() API\r\nFinally, the ransomware deletes itself using the following command line, leaving only the encrypted files and the\r\nransom note on the victim’s machine.\r\ncmd /c del C:\\Users\\\u003cAdmin\u003e\\Desktop\\new_one.exe\r\nThe below figure shows the BianLian ransomware encrypted files and ransom note text file after the successful\r\ninfection of a victim’s machine.\r\nhttps://blog.cyble.com/2022/08/18/bianlian-new-ransomware-variant-on-the-rise/\r\nPage 5 of 9\n\nFigure 9 – Files encrypted by BianLian Ransomware\r\nIn the dropped ransom note, victims are given instructions on how they can contact the TAs to restore their\r\nencrypted files.\r\nThe TAs threaten their victims, stating that their important data, such as financial, client, business, technical, and\r\npersonal files, has been downloaded and will be posted on their leak site if the ransom is not paid within ten days.\r\nThe ransom note also contains the ID of TOX Messenger for ransom negotiations and the Onion URL of the leak\r\nsite page – shown in the figure below.\r\nhttps://blog.cyble.com/2022/08/18/bianlian-new-ransomware-variant-on-the-rise/\r\nPage 6 of 9\n\nFigure 10 – Ransom note\r\nThe figure below shows the BianLian ransomware Onion leak home page and the affected company’s extortion\r\nobjects.\r\nFigure 11 – BianLian Leak site home page\r\nThe BianLian Leak site contains the list of all companies affected by the ransomware and the TA’s contact details\r\nfor ransomware data recovery.\r\nhttps://blog.cyble.com/2022/08/18/bianlian-new-ransomware-variant-on-the-rise/\r\nPage 7 of 9\n\nFigure 12 – BianLian Leak site affected companies list \u0026 TAs contact details\r\nConclusion\r\nRansomware is becoming an increasingly common and effective attack method that affects organizations and their\r\nproductivity. BianLian is GoLang-based ransomware that continues to breach several industries and demand large\r\nransom amounts. The TAs also use the double extortion method by stealing an affected organization’s files and\r\nleaking them online if the ransom is not paid on time.\r\nTAs write their ransomware in GoLang for various reasons; the language enables a single codebase to be compiled\r\ninto all major operating systems. The TAs behind BianLian are constantly making changes and adding new\r\ncapabilities to avoid detection.  \r\nCyble Research Labs will continue to monitor BianLian and other similar Ransomware groups’ activities and\r\nanalyze them to better understand their motivations.\r\nOur Recommendations\r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the best practices given below:\r\nSafety Measures Needed to Prevent Ransomware Attacks\r\nConduct regular backup practices and keep those backups offline or in a separate network.\r\nTurn on the automatic software update feature on your computer, mobile, and other connected devices\r\nwherever possible and pragmatic.\r\nUse a reputed anti-virus and Internet security software package on your connected devices, including PC,\r\nlaptop, and mobile.\r\nRefrain from opening untrusted links and email attachments without verifying their authenticity.\r\nUsers Should Take the Following Steps After the Ransomware Attack\r\nDetach infected devices on the same network.\r\nDisconnect external storage devices if connected.\r\nInspect system logs for suspicious events.\r\nhttps://blog.cyble.com/2022/08/18/bianlian-new-ransomware-variant-on-the-rise/\r\nPage 8 of 9\n\nImpact of BianLian Ransomware\r\nLoss of Valuable data.\r\nLoss of the organization’s reputation and integrity.\r\nLoss of the organization’s sensitive business information.\r\nDisruption in organization operation.\r\nFinancial loss.\r\nMITRE ATT\u0026CK® Techniques\r\nTactic Technique ID Technique Name\r\nExecution\r\nT1204\r\nT1059\r\nUser Execution\r\nCommand and Scripting Interpreter\r\nDefense Evasion\r\nT1497\r\nT1027\r\nT1036\r\nVirtualization/Sandbox Evasion\r\nSoftware Packing\r\nMasquerading\r\nDiscovery\r\nT1082\r\nT1083\r\nT1518\r\nT1120\r\nSystem Information Discovery\r\nFile and Directory Discovery\r\nSecurity Software Discovery\r\nPeripheral Device Discovery\r\nImpact T1486 Data Encrypted for Impact\r\nLateral Movement T1091 Replication Through Removable Media\r\nIndicator Of Compromise (IOCs)\r\nIndicators\r\nIndicator\r\nType\r\nDescription\r\n0c756fc8f34e409650cd910b5e2a3f00\r\n70d1d11e3b295ec6280ab33e7b129c17f40a6d2f\r\neaf5e26c5e73f3db82cd07ea45e4d244ccb3ec3397ab5263a1a74add7bbcb6e2\r\nMD5\r\nSHA1\r\nSha256\r\nBianLian\r\nRansomware\r\nExecutable\r\n08e76dd242e64bb31aec09db8464b28f\r\n3f3f62c33030cfd64dba2d4ecb1634a9042ba292\r\n1fd07b8d1728e416f897bef4f1471126f9b18ef108eb952f4b75050da22e8e43\r\nMD5\r\nSHA1\r\nSha256\r\nBianLian\r\nRansomware\r\nExecutable\r\nSource: https://blog.cyble.com/2022/08/18/bianlian-new-ransomware-variant-on-the-rise/\r\nhttps://blog.cyble.com/2022/08/18/bianlian-new-ransomware-variant-on-the-rise/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.cyble.com/2022/08/18/bianlian-new-ransomware-variant-on-the-rise/"
	],
	"report_names": [
		"bianlian-new-ransomware-variant-on-the-rise"
	],
	"threat_actors": [],
	"ts_created_at": 1775434870,
	"ts_updated_at": 1775826745,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/488235bc5348768d17c4fe0d6829a74670c8d5f7.pdf",
		"text": "https://archive.orkl.eu/488235bc5348768d17c4fe0d6829a74670c8d5f7.txt",
		"img": "https://archive.orkl.eu/488235bc5348768d17c4fe0d6829a74670c8d5f7.jpg"
	}
}