Ransomware group BianLian claims to have carried out a cyberattack on a UK-based jeweller with an annual revenue of over $100m. Although the gang has not named the company concerned, it says it has stolen 600Gb of data from its systems, including network user folders and files from the software it uses.

An unnamed UK jeweller has been posted to blog of the BianLian ransomware gang. (Photo by grafvision/Shutterstock)

According to the post, the company has been given “weeks” before the data will be made available. “Contact us if you want to get it or if you want to protect it,” it says.

Is BianLian’s latest victim a UK company?

Though it does not name the company involved, BianLian says its victim has over 100 stores in the UK and an annual revenue of over $100m.

According to a teaser of the name at the top of the document, the named of the impacted company is * *i***. High street jeweller F Hinds has over 115 stores in the UK and reported just over $98m in revenue last year. Tech Monitor has contacted the company to find out if it has suffered a cyberattack.

The cybercriminal group claims to have lifted a list of files from the company, which it believes are valuable enough to catch their attention. Among these files are network user folders, file server data, company software and vendor and supplier information. 

The gang has said that the data will be posted within a matter of weeks if the company does not get in contact. 

BianLian ransomware gang gets busy

This week BianLian has also posted a telecommunications services company in “the Asia region”, with a revenue of over $500m, alongside claims of a data leak of 1.2 terabytes of information.

Earlier this year the US Cybersecurity and Infrastructure Security Agency (CISA) released an advisory concerning BianLian, calling it a “ransomware developer, destroyer and data extortion cybercriminal group that has targeted organisations in multiple US critical infrastructure sectors since June 2022.”

Allan Liska, head of the cybersecurity incident response team at security vendor Recorded Future, believes there could be a link between the groups BianLian and Pysa, as they appear to have similar attack patterns with matching posts. Pysa, also known as Mespinoza, targets victims in the UK and US, according to a warning by the FBI. “I have only seen a couple of people make the connection between Pysa ransomware and BianLian, but looking at victims published to their data leak sites, the contrast is pretty stark,” he said.

BianLian changed its tactics at the beginning of this year, CISA warned, from the double extortion model, where a cybercriminal will lift sensitive data to blackmail a company with, before encrypting its files to hold its business hostage, to solely exfiltrating sensitive data.

Hüseyin Can Yuceel, a security researcher at Picus Security told Tech Monitor earlier this year that BianLian is not the only ransomware gang engaged in encryption-less ransomware. “We observed a significant rise in encryption-less extortion attacks that only relies on the exfiltration of sensitive data,” he said. “Although these attacks do not leverage the power of cryptographic encryption algorithms, they still pose significant risks to organisations.”

He added that: “In encryption-less extortion attacks, threat actors steal their victims’ confidential data and threaten to disclose stolen data unless the demanded ransom is paid.”

Read more: Progress Software faces class action lawsuit over MOVEit Transfer vulnerability