Go to listing page

BianLian: New Cross-Platform Ransomware Targeting Multiple Sectors

BianLian: New Cross-Platform Ransomware Targeting Multiple Sectors
BianLian, an open-source ransomware variant written in the Go, has gained popularity due to its cross-platform functionality. According to Cyble researchers, the malware was first identified in mid-July and has already affected nine well-known organizations.

Target specifics

  • The media and entertainment sectors have taken the brunt of BianLian attacks, with 25% of victims.
  • The remaining sectors—professional services, BFSI, manufacturing, healthcare, energy and utilities, and education—contribute 12.5% of the victims.

Modus operandi

BianLian attackers frequently demand extremely high ransoms and use a distinct encryption style.
  • The style breaks the file content into 10-byte pieces to avoid detection by the antivirus software. After reading 10 bytes from the source file, it encrypts the bytes and then copies the encrypted data into the target file.
  • If ransom demands are not met within 10 days, the operators resort to double extortion.


As with other ransomware, BianLian encrypts files after infecting a machine and sends a ransom letter containing instructions for contacting its operators.
  • In the process to determine whether the file is running in a WINE environment, BianLian checks the wine_get_version() function using the GetProcAddress() API.
  • To encrypt files more quickly, the ransomware generates numerous threads using the CreateThread() API method. This makes it more challenging to reverse engineer the malware.
  • The malware then uses the GetDriveTypeW() API function to detect the system drives (from A:/ to Z:/) and encrypt any data present on the connected drives.


The emergence of BianLian shows cybercriminals' dedicated effort to keep hopping tactics so as to avoid detection while keeping security experts on their toes. One way to prevent BianLian kind of threats is to timely update your device software, run anti-malware software, and refrain from opening any suspicious or unknown links or attachments.
Cyware Publisher