BianLian
Description
The group pivoted from crypto-ransomware to data exfiltration only after a flaw was discovered in their encryptor, leading to a public decryptor. This was primarily due to the group using AES-256-CBC without encrypting the symmetric key.
This entry is under construction. However, we have included some details below.
Ransomware Type
Crypto-Ransomware
Data Broker
First Seen
Last Seen
Extortion Links
Medium
Link
I2P
http://epovhlzpj3grgld7vxr2mnk33dz5rdb4kdcp44f5r527rvhwhxna.b32.i2p
Postal Mail
BIANLIAN GROUP, 24 FEDERAL ST, SUITE 100, BOSTON, MA 02110
TOR
http://bianlianlbc5an4kgnay3opdemgcryg2kpfcbgczopmm3dnbz3uaunad.onion
TOR
http://bianlivemqbawcco4cx4a672k2fip3guyxudzurfqvdszafam3ofqgqd.onion
Extortion Types
Blackmail
Direct Extortion
Double Extortion
Free Data Leaks
Victim Client Communication
Victim Employee Communication
Communication(6)
Medium
Identifier
Email
Email
Email
Email
Tox
88A612B3887D57A7FA3D48F5E3EDF952E4BE48E0972FC6456FBBCFF198CC8620E5609ED2D598
Tox
A8AD0FD4C931CDAA1408D5A60CBF38CEDF46B41E19A8A55E4EF1F1848AF3416AE52D278D37DF
Encryption
Type
Symmetric
Files
AES-256-CBC
File Extension
<file name>.<file extension>.bianlian
Ransom Note Name
Look at this instruction.txt
Samples (SHA-256)
eaf5e26c5e73f3db82cd07ea45e4d244ccb3ec3397ab5263a1a74add7bbcb6e2
Decryptors
References & Publications
BleepingComputer: Fake BianLian ransom notes mailed to US CEOs in postal mail scam
SecurityScorecard: A Deep Dive into BianLian Ransomware