Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Free Decryptors Released for BianLian, MegaCortex Ransomware

Avast and Bitdefender have released decryptors to help victims of BianLian and MegaCortex ransomware recover their data for free.

Avast and Bitdefender have released decryptors to help victims of BianLian and MegaCortex ransomware recover their data for free.

Written in Golang, BianLian emerged in August 2022 and has been used in targeted attacks against entertainment, healthcare, media, and manufacturing organizations.

Once it has been executed on a victim’s machine, the malware identifies all available drives to find files and encrypt them.

BianLian targets a total of 1,013 file extensions and features a particular encryption routine: it does not encrypt data at the beginning of a file, nor data at its end.

Known for its fast encryption capabilities, the ransomware appends the “.bianlian” extension to the affected files and drops a ransom note named “Look at this instruction.txt” in each folder on the machine. Once the encryption process has been completed, the malware deletes itself.

Avast warns that its decryption tool only works with files encrypted with a known variant of BianLian and that victims of more recent versions of the ransomware might need to provide a malware binary to be able to recover their data for free.

The BianLian decryptor (direct download) is available on Avast’s website. The cybersecurity firm also provides detailed instructions on how the tool should be used.

The MegaCortex ransomware initially emerged in January 2019, but did not rise to fame until May that year, when it was used in a global attack campaign.

The malware was used by the same cybercriminals who also distributed the Dharma and LockerGoga ransomware, and who are believed to have infected roughly 1,800 victims, mostly companies.

In 2020, MegaCortex was mentioned in a FireEye report as being one of the six ransomware families to use a ‘process kill list’ targeting over 1,000 processes, including industrial software.

In October 2021, Europol and Norwegian Police announced the arrest of 12 individuals believed to have been part of the cybercrime ring.

Earlier this month, Bitdefender announced the availability of a free decryption tool for the MegaCortex victims, built in cooperation with the NoMoreRansom Project, Europol, and Swiss law enforcement. The decryptor is available on Bitdefender’s website (direct download) and the company also provides a step-by-step guide to using the tool.

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...


The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.