CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?


Malware & Threats

Free Decryptors Released for BianLian, MegaCortex Ransomware

Avast and Bitdefender have released decryptors to help victims of BianLian and MegaCortex ransomware recover their data for free.

Avast and Bitdefender have released decryptors to help victims of BianLian and MegaCortex ransomware recover their data for free.

Written in Golang, BianLian emerged in August 2022 and has been used in targeted attacks against entertainment, healthcare, media, and manufacturing organizations.

Once it has been executed on a victim’s machine, the malware identifies all available drives to find files and encrypt them.

BianLian targets a total of 1,013 file extensions and features a particular encryption routine: it does not encrypt data at the beginning of a file, nor data at its end.

Known for its fast encryption capabilities, the ransomware appends the “.bianlian” extension to the affected files and drops a ransom note named “Look at this instruction.txt” in each folder on the machine. Once the encryption process has been completed, the malware deletes itself.

Avast warns that its decryption tool only works with files encrypted with a known variant of BianLian and that victims of more recent versions of the ransomware might need to provide a malware binary to be able to recover their data for free.

The BianLian decryptor (direct download) is available on Avast’s website. The cybersecurity firm also provides detailed instructions on how the tool should be used.

The MegaCortex ransomware initially emerged in January 2019, but did not rise to fame until May that year, when it was used in a global attack campaign.

Advertisement. Scroll to continue reading.

The malware was used by the same cybercriminals who also distributed the Dharma and LockerGoga ransomware, and who are believed to have infected roughly 1,800 victims, mostly companies.

In 2020, MegaCortex was mentioned in a FireEye report as being one of the six ransomware families to use a ‘process kill list’ targeting over 1,000 processes, including industrial software.

In October 2021, Europol and Norwegian Police announced the arrest of 12 individuals believed to have been part of the cybercrime ring.

Earlier this month, Bitdefender announced the availability of a free decryption tool for the MegaCortex victims, built in cooperation with the NoMoreRansom Project, Europol, and Swiss law enforcement. The decryptor is available on Bitdefender’s website (direct download) and the company also provides a step-by-step guide to using the tool.

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.


Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Data Breaches

KFC and Taco Bell parent company Yum Brands says personal information was compromised in a January 2023 ransomware attack.