BianLian Ransomware

The BianLian Ransomware is a powerful threat written in the Go programming language. This particular language has been rising in popularity among cybercriminals, due to its cross-platform capabilities and the fact that it makes reverse engineering their threatening creations more difficult. As for the BianLian Ransomware, researchers state that in just a couple of months, the threat has managed to infect 9 victims. The targeted organizations operate in banking, financial services, education, healthcare, manufacturing and other sectors.

When the BianLian Ransomware is activated on the infected devices, it will lock the data stored there with an uncrackable cryptographic algorithm. As a result, victims will lose access to their files, potentially leading to serious disruptions in the normal operations of the impacted organization. Each encrypted file will have '.bianlian' appended to its original name. In addition, the threat will create a text file named 'Look at this instruction.txt' on the desktop of the device.

Inside the text file, victims will find a ransom note with instructions. The message reveals that the operators of the BianLian Ransomware are running a double-extortion scheme. They claim to have collected various confidential and sensitive data, such as financial client, technical and personal files. Victims have 10 days to contact the attackers and reach an agreement or their private data will be published on a dedicated leak site. According to the note, the threat actors can be reached via 'tox' messenger or the 'swikipedia@onionmail.org' email address.

The full message left by BianLian Ransomware is:

'Your network systems were attacked and encrypted. Contact us in order to restore your data. Don't make any changes in your file structure: touch no files, don't try to recover by yourself, that may lead to it's complete loss.

To contact us you have to download "tox" messenger: hxxps://qtox.github.io/

Add user with the following ID to get your instructions:
A4B3B0845DA242A64BF17E0DB4278EDF85855739667D3E2AE8B89D5439015F07E81D12D767FC

Alternative way: swikipedia@onionmail.org

Your ID:

You should know that we have been downloading data from your network for a significant time before the attack: financial, client, business, post, technical and personal files.
In 10 days - it will be posted at our site hxxp://bianlianlbc5an4kgnay3opdemgcryg2kpfcbgczopmm3dnbz3uaunad.onion with links send to your clients, partners, competitors and news agencies, that will lead to a negative impact on your company: potential financial, business and reputational loses.'