CISA says BianLian ransomware now focuses only on data theft

The BianLian ransomware operation has shifted its tactics, becoming primarily a data theft extortion group, according to an updated advisory from the U.S. Cybersecurity & Infrastructure Security Agency, the FBI, and the Australian Cyber Security Centre.

This new information comes in an update to a joint advisory released in May by the same agencies, which warned about BianLian's shifting tactics involving the use of stolen Remote Desktop Protocol (RDP) credentials, custom Go-based backdoors, commercial remote access tools, and targeted Windows Registry modifications.

At the time, BianLian had started a switch to data theft extortion, gradually abandoning file encryption tactics, especially after Avast released a decryptor for the family in January 2023.

While BleepingComputer knows of BianLian attacks using encryption towards the end of 2023, the updated advisory says the threat group having shifted exclusively to data extortion since January 2024.

"BianLian group originally employed a double-extortion model in which they encrypted victims’ systems after exfiltrating the data; however, they shifted primarily to exfiltration-based extortion around January 2023 and shifted to exclusively exfiltration-based extortion around January 2024," reads CISA's updated advisory.

Another point highlighted in the advisory is that BianLian now attempts to obscure their origin by using foreign-language names. However, the intelligence agencies are confident the primary operators and multiple affiliates are based in Russia.

The advisory has also been updated with the ransomware gang's new techniques, tactics, and procedures:

• Targets Windows and ESXi infrastructure, possibly the ProxyShell exploit chain (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) for initial access.
• Uses Ngrok and modified Rsocks to mask traffic destinations using SOCK5 tunnels.
• Exploits CVE-2022-37969 to escalate privileges on Windows 10 and 11.
• Uses UPX packing to bypass detection.
• Renames binaries and tasks after legitimate Windows services and security products for evasion.
• Creates Domain Admin and Azure AD Accounts, performs network login connections via SMB, and installs webshells on Exchange servers.
• Users PowerShell scripts to compress collected data before exfiltration.
• Includes new Tox ID for victim communication in ransom note.
• Prints ransom notes on printers connected to the compromised network and calls employees of the victim companies to apply pressure.

Based on the above, CISA recommends strictly limiting the use of RDP, disabling command-line and scripting permissions, and restricting the use of PowerShell on Windows systems.

BianLian's latest activity

Active since 2022, BianLian ransomware has had a prolific year so far, listing 154 victims on its extortion portal on the dark web.

Though most of the victims are small to medium-sized organizations, BianLian has had some notable breaches recently, including those against Air Canada, Northern Minerals, and the Boston Children's Health Physicians.

The threat group has also recently announced breaches against a global Japanese sportswear manufacturer, a prominent Texas clinic, a global mining group, an international financial advisory, and a major dermatology practice in the U.S., but those have not been confirmed yet.