Avast has released a decryptor for the BianLian ransomware, which is available for public download.

BianLian appeared in August 2022, carrying out targeted attacks in various industries, primarily media, manufacturing and healthcare.

Ransomware is notable for encrypting files at high speeds.

BianLian is written in Go and compiled as a 64-bit Windows executable.

In the ransomware binary file, you can see a lot of lines, including information about the directory structure on the author's computer.

Data is encrypted using AES-256 in CBC mode. The length of the encrypted data reaches up to 16 bytes, as required by the AES CBC cipher.

After execution, BianLian searches for all available disks (from A: to Z:), on which it then searches and encrypts all files whose extension corresponds to one of the 1013 extensions hard-coded in the binary file of the program. 

At the same time, ransomware does not encrypt the file either from the beginning or to the end. Instead, there is a fixed file offset hard-coded in the binary file from which the encryption originates.

The offset varies depending on the sample, but none of the known samples encrypts data from the beginning of the file.

After encrypting the data, the ransomware adds the bianlian extension and a ransom note Look at this instruction.txt to each folder on the PC.

The decryptor can recover files encrypted only by a known variant of BianLian.

New victims may need to find the binary file of the ransomware on their hard drive.

However, this will be problematic because the ransomware deletes itself after encryption.

According to Avast telemetry, common BianLian ransomware file names on the victim's computer include: C:\Windows\TEMP\mativ.exe , C:\Windows\Temp\Areg.exe , C:\Users\%username%\Pictures\windows.exe and anabolic.exe .

When searching for a binary file, it is recommended to pay attention to the EXE file in a folder that usually does not contain executable files, such as %temp%, Documents or Pictures.

You should also check the antivirus storage. The typical size of a BianLian executable file is about 2 MB.

As noted by Avast, the detection of new samples will allow them to update the decoder accordingly.