Avast offers a free decryptor for BianLian ransomware

Avast Security Software has provided a decryptor free of charge for the BianLian Ransomware strain. This will help malware victims recover their files and prevent them from paying hackers.

A decryptor is now available for about half an year, just a few years after the increased activity of BianLian ransomware in the summer 2022 when multiple prominent organizations were breached by the threat group.

Avast’s encryption tool cannot be used to decrypt victims of ransomware known as the BianLian.

The tool will not be of any help if the hackers use a modified version of malware that researchers are still trying to find.

Avast states that BianLian’s decryptor for is still in development and will soon be able to unlock additional strains.

BianLian ransomware

is not to be confused the . It’s a Go-based ransomware attack on Windows systems.

To encrypt more than 1013 files, it uses the CBC ciphermode and the symmetric AES256 algorithm.

This malware uses to encrypt victim’s files. It is a technique that speeds up attacks but compromises data security.

The encrypted files are given the extension “.bianlian”, while ransom notes warn victims they only have 10 days to comply with the hacker’s demand or their personal data could be leaked on the data leak site.

This about the BianLian ransomware strain, published December 20,22, contains more information.

BianLian ransom note


Avast’s decryptor

You can download the BianLian ransomware encryption program for free. It is standalone and doesn’t need installation.

The user can choose the desired location to decrypt, and then provide the software with two original/encrypted file pairs.

Setting the decryption parameters


Users with valid passwords are also eligible for this option. However, if the victim does not have one, it can attempt to find it by going through all the known BianLian passwords.

Decryptor cracking the BianLian password


You can also choose to back up encrypted files in order to protect your data from irreversible loss if you make a mistake during encryption.

Attackers of newer BianLian ransomware versions will need to find the ransomware binary that is on their hard drives. This could contain data that can help decode the locked files.

Avast suggests that there are some filenames and places for BianLian:

  • C:WindowsTEMPmativ.exe
  • C:WindowsTempAreg.exe
  • C:Users%username%Pictureswindows.exe
  • anabolic.exe

The malware is able to delete itself from the file encryption phase. This makes it unlikely that victims will be able to find the binaries.

Those who manage to retrieve BinaLian binaries are requested to send them to “[email protected]” to help Avast improve its decrypter.