The BianLian ransomware group has fully transitioned into a data theft extortion operation, according to an updated advisory issued by the U.S. Cybersecurity & Infrastructure Security Agency (CISA), the FBI, and the Australian Cyber Security Centre. This marks a significant evolution in their tactics, shifting from file encryption to data-centric extortion methods.
BianLian initially employed a double-extortion model, encrypting victims’ systems while exfiltrating sensitive data. However, following Avast’s release of a decryptor in January 2023, the group began abandoning file encryption. By January 2024, they had entirely shifted to data theft as their primary attack strategy, the advisory confirms.
“BianLian now focuses exclusively on exfiltration-based extortion,” states the updated guidance, highlighting their pivot in response to evolving cybersecurity measures.
The advisory outlines BianLian’s latest methods for infiltrating networks and evading detection:
* Targeting Infrastructure: Focuses on Windows and ESXi systems, leveraging vulnerabilities like ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) for initial access.
* Traffic Masking: Employs tools like Ngrok and modified Rsocks to hide destinations through SOCK5 tunnels.
* Privilege Escalation: Exploits CVE-2022-37969 to escalate privileges on Windows 10 and 11 systems.
* Evasion Techniques: Uses UPX packing to bypass detection and renames binaries to mimic legitimate Windows services.
* Persistence: Creates Domain Admin and Azure AD accounts, installs web shells on Exchange servers, and uses PowerShell scripts to compress and exfiltrate data.
* Victim Communication: Includes Tox IDs in ransom notes and applies pressure through ransom notes printed on network printers or direct calls to employees.
The group is believed to operate out of Russia, despite attempts to disguise their origin by adopting foreign-language aliases.
Since its emergence in 2022, BianLian has claimed 154 victims on its extortion portal this year alone. While most victims are small to medium-sized businesses, recent breaches include notable targets such as Air Canada, Northern Minerals, and Boston Children’s Health Physicians.
Unconfirmed attacks have also been reported against a global Japanese sportswear manufacturer, a prominent Texas clinic, and several other high-profile organizations.
To mitigate the risk of BianLian attacks, CISA advises organizations to:
* Strictly limit Remote Desktop Protocol (RDP) use.
* Disable command-line and scripting permissions where possible.
* Restrict PowerShell usage on Windows systems.
* Follow best practices for securing networks and applying security patches.
As ransomware groups like BianLian continue to evolve their methods, cybersecurity experts emphasize the need for organizations to adapt and bolster defences to address emerging threats effectively.
