The BianLian ransomware group has undergone a significant transformation, transitioning into a data theft extortion organization, as highlighted in a recent advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Australian Cyber Security Centre. This shift marks a departure from their previous double-extortion strategies that involved file encryption.
The latest advisory updates a joint warning issued in May, which discussed BianLian’s evolving tactics that included leveraging stolen Remote Desktop Protocol (RDP) credentials alongside custom Go-based malware and commercial remote access solutions. The group had initially adopted data encryption methods for extortion purposes but began pivoting towards data theft after the release of a decryptor by Avast for their ransomware variants in January 2023.
Evidence suggests that while BianLian may have utilized encryption techniques throughout 2023, the advisory clarifies that as of January 2024, the group has exclusively focused on exfiltration-based extortion. According to CISA, “BianLian originally used a double-extortion model, encrypting victims’ systems after exfiltrating data. By January 2023, they primarily shifted to exfiltration-based extortion, and by January 2024, exclusively employed this method.”
The advisory also points out that BianLian is currently employing various tactics to obscure their origins, including the utilization of foreign-language aliases. However, intelligence assessments indicate that the main operators and associated affiliates are likely operating from Russia, a country known for a substantial proportion of cybercriminal activity.
As the situation develops, CISA has identified a range of new techniques and procedures employed by BianLian. These include targeting Windows and ESXi infrastructures, potentially exploiting known vulnerabilities like the ProxyShell exploit chain to gain initial access. The group employs traffic obfuscation tools such as Ngrok and modified Rsocks to disguise their online activities and exploits vulnerabilities, such as CVE-2022-37969, for privilege escalation on Windows systems. They further utilize various methods to bypass detection, including UPX packing, renaming malicious files to resemble legitimate Windows services, and using PowerShell scripts to prepare collected data for exfiltration.
The advisory underscores the increased risk posed by BianLian, which has listed a notable 154 victims on its dark web extortion portal so far this year. Victims have predominantly included small to medium-sized businesses, though more significant breaches have targeted larger organizations such as Air Canada and Boston Children’s Health Physicians. BianLian has also claimed attacks against prominent firms across various sectors, including an international Japanese sportswear manufacturer and a major dermatology practice based in the U.S., although some of these claims remain unverified.
Given the evolving landscape of cyber threats, it is essential for organizations to enhance their cybersecurity measures. CISA recommends stringent restrictions on RDP use, disabling command-line and scripting permissions, and limiting PowerShell access on Windows systems to mitigate the risk associated with such attacks. As BianLian and similar groups continue to exploit existing vulnerabilities for financial gain, a proactive approach to cybersecurity will be crucial for businesses aiming to safeguard their sensitive data and maintain operational integrity.
