A ransomware group known as BianLian has decided to part ways with its encryptor and focus solely on data theft and extortion instead, experts are reporting,
A new report from cybersecurity researchers Redacted spotted BianLian attempting to extort businesses for money - without encrypting their endpoints first.
The researchers are now speculating as to what motivated BianLian to change course, with two scenarios emerging as the most likely ones.
"The group promises that after they are paid, they will not leak the stolen data or otherwise disclose the fact the victim organization has suffered a breach. BianLian offers these assurances based on the fact that their "business" depends on their reputation," Redacted said in its analysis.
"In several instances, BianLian made reference to legal and regulatory issues a victim would face were it to become public that the organization had suffered a breach. The group has also gone so far as to include specific references to the subsections of several laws and statutes."
The researchers have also found that the laws and statutes BianLian refers to are often localized, and very relevant to the victim. That made them conclude that the group is looking to improve its negotiation skills in order to extort as much money as possible.
When trying to explain why the group decided to ditch the encryptor, two possible explanations came up. The first one is that the group realized that infecting the endpoints with ransomware and running the entire operation is too time-consuming, too costly and, at the end of the day - redundant. With the right extortion skills, stealing data is enough for a successful attack.
The second one is that the group hasn’t adapted properly since Avast released a free decryptor in January this year. When that happened, the threat actor explained that the decryptor wasn’t that disruptive as it only worked on older versions of the ransomware, and would actually corrupt files encrypted by the newer versions.
As of a week ago, BleepingComputer reports, BianLian has almost 120 victims on its extortion portal. The majority (71%) are US-based.
- Here are the best malware removal tools right now