Ransomware (opens in a new tab) a group known as BianLian decided to part ways with its encryption tool and instead focus solely on data theft and extortion, according to experts,
A new report by Redacted cybersecurity researchers has noted that BianLian is trying to extort money from companies – without first encrypting their endpoints.
Scientists now speculate what motivated BianLian to change course, with two scenarios most likely.
Decryptor released
“The group promises that once they receive payment, they will not disclose the stolen data or otherwise disclose the fact that the victim’s organization has suffered a breach. BianLian offers these guarantees based on the fact that their “business” depends on their reputation,” he said in his analysis (opens in a new tab).
“In several cases, BianLian has addressed the legal and regulatory issues a victim would face if it was made public that the organization had suffered a breach. The group also went so far as to make specific references to subsections of several laws and statutes.”
Researchers have also found that the laws and statutes BianLian refers to are often localized and highly relevant to the victim. This led them to conclude that the group wanted to improve their negotiating skills in order to extort as much money as possible.
When trying to explain why the group decided to abandon the encryption program, two possible explanations emerged. First, the group realized that infecting endpoints with ransomware and carrying out the entire operation was too time-consuming, too expensive, and ultimately unnecessary. With the right extortion skills, data theft is enough for a successful attack.
Secondly, the group has not properly adjusted since Avast released a free decryptor in January this year. When this happened, the threat actor explained that the decryptor was not that much of a pain because it only worked on older ransomware versions and actually corrupted files encrypted by newer versions.
For a week Beeping Computer reports, BianLian has almost 120 victims on its extortion portal. The majority (71%) are based in the US.
By: Beeping Computer (opens in a new tab)