Cybercriminals are flocking to spread BianLian, an emergent ransomware strain built in Go, the open-source programming language developed by Google.

According to a blog post released last week by Cyble Research Labs, BianLian's popularity has been on the rise since it was first discovered in mid-July. The researchers analyzed the ransomware in depth. So far, companies in the media and entertainment, manufacturing, education, healthcare, banking, financial services, and insurance (BFSI) sectors have fallen prey to the unique BianLian virus, which threat actors have deployed.

According to Cyble, 25% of BianLian victims have been in the media and entertainment business, while 12.5% have been in the professional services, manufacturing, healthcare, energy and utilities, and education sectors, respectively.

Researchers say BianLian attackers frequently demand exceptionally high ransoms and use a unique encryption technique that breaks file content into 10-byte pieces to avoid detection by antivirus software. "First, it reads 10 bytes from the original file, then encrypts the bytes, and then copies the encrypted data into the target file," the Cybel researchers explained.

If ransom demands are not satisfied within 10 days, BianLian's operators employ double-extortion techniques, threatening to publish online crucial stolen data such as financial, customer, corporate, technical, and personal information. For this reason, an onion leak site is maintained.

Ransomware Operation

BianLian acts similarly to other ransomware in that it encrypts files after infecting a machine and provides a ransom letter, including instructions on contacting its .

Upon execution of the ransomware, BianLian checks the wine get version() function using the GetProcAddress() API to determine if the file is operating in a WINE environment, according to the researchers. The ransomware then spawns numerous threads using the CreateThread() API method to encrypt files more quickly, which makes reverse engineering the infection more difficult, according to the researchers.

The virus then detects the system drives (from A: to Z:) via the GetDriveTypeW() API function and encrypts all data present on the associated devices, according to researchers.

BianLian is particularly remarkable for its use of Go as its core programming language, which gives threat actors greater freedom in designing and spreading the malware, according to the researchers. They added, "Many threats have been created utilizing the Go programming language, including Ransomware, RAT, Stealer, etc."

Go's cross-platform support enables a single codebase to be built for all major operating systems. This makes it simple for threat actors, such as those behind BianLian, to make regular modifications and add new capabilities to evade detection, according to the researchers.

Other cyber dangers developed in the so-called GoLang that have been active in the past year include the recently reappeared Kraken botnet and Blackrota, a carefully disguised backdoor.

While growing efforts by international law enforcement to crack down on the individuals behind big cybercriminal organizations have had some effect on ransomware, new threat operators and ransomware variations continue to emerge to replace those that have been rendered ineffective.

In its blog post, Cyble reiterated the following best practices for ransomware defense: performing regular offline backups; keeping device software up-to-date, preferably with automatic software updates, installing anti-malware software on devices; and avoiding opening any suspicious links or attachments.