Introduction

The BianLian ransomware group [1] [2] [3] [4] [5] [6] [7] [9] [10] [12], likely originating from Russia [5], has been a significant threat to critical national infrastructure (CNI) operators since June 2022. This group has targeted various sectors, including healthcare [6] [7], charity [7], professional services [3] [8], and property development [3] [8], across the United States [4] [6], Australia [1] [3] [5] [6] [7] [8] [9] [10], and the UK [1] [6]. Known for its evolving tactics, techniques [1] [2] [3] [4] [9], and procedures (TTPs) [1] [3] [9], BianLian has shifted its focus from traditional ransomware attacks to exfiltration-based extortion, posing severe financial, business [1] [6] [11], and legal risks to its victims.

Description

The BianLian ransomware group [1] [2] [3] [4] [5] [6] [7] [9] [10] [12], likely based in Russia [1] [3] [4] [6] [7] [9] [10] [11], has been highly active since June 2022 in targeting critical national infrastructure (CNI) operators across various sectors, including healthcare [6] [7], charity [7], professional services [3] [8], and property development [3] [8], in the United States [4] [6], Australia [1] [3] [5] [6] [7] [8] [9] [10], and the UK [1] [6]. This cybercriminal organization gained prominence alongside LockBit following the decline of the Conti crew and is recognized for its evolving tactics, techniques [1] [2] [3] [4] [9], and procedures (TTPs) [1] [3] [9], particularly in ransomware development [4] [10], deployment [4] [10], and data extortion [4] [10] [11]. By January 2023 [2] [4] [8] [10], BianLian shifted from a double-extortion model, where they encrypted victims’ systems and threatened to leak data [1], to a focus on exfiltration-based extortion [2] [4] [7], fully adopting this approach by January 2024 [8]. In this new method, systems remain intact [1] [6], and victims face financial [1] [6], business [1] [6] [11], and legal consequences if they do not comply with ransom demands [1]. The group has notably targeted organizations such as Save The Children, Boston Children’s Health Physicians [5] [7], and the Amherstburg Family Health Team [5] [7], a Canadian healthcare provider [7].

BianLian actors primarily gain access to victim systems through valid Remote Desktop Protocol (RDP) credentials [6] [9] [10], which may be obtained from initial access brokers or phishing attacks [11]. They have expanded their initial access techniques to exploit vulnerabilities in public-facing applications on both Microsoft Windows and VMware ESXi infrastructure, potentially utilizing the ProxyShell exploit chain for initial access [1] [2] [4] [11]. Once inside a network [11], BianLian actors implant custom backdoors [1] [11], often coded in Go, and install remote management software like AnyDesk and TeamViewer for persistence and command-and-control operations [1]. They also create or activate local administrator accounts [11], modify passwords to maintain control [11], and employ open-source tools and command-line scripting for system discovery and credential harvesting [9] [10]. Additionally, they may use the reverse proxy tool Ngrok or a modified version of the Rsocks utility to obscure command-and-control traffic [1].

In terms of defense evasion [4], BianLian has advanced its tactics by renaming binaries and scheduled tasks to mimic legitimate Windows services [4], packing executables with UPX to evade detection [2] [4], and disabling antivirus tools [1] [11], including Windows Defender and Anti-Malware Scan Interface (AMSI) [11]. The group modifies the Windows Registry to disable tamper protection for Sophos services and employs PsExec and RDP with valid accounts for lateral movement. They have been observed creating multiple domain admin accounts [4], installing webshells on Exchange servers [1], and utilizing the Server Message Block (SMB) protocol for lateral movement.

For data exfiltration [2] [4] [8], BianLian utilizes PowerShell scripts to search for sensitive files and commonly employs File Transfer Protocol (FTP) [4], Rclone [2] [8] [9] [10] [11], and the Mega file-sharing service [4]. Prior to January 2024 [2] [4], the group used an encryptor that modified files with a .bianlian extension [2] [4], but has since shifted to threatening to leak exfiltrated data without encrypting the victim’s systems [4]. They engage in high-pressure tactics to pressure victims into paying ransoms [11], such as printing ransom notes on compromised network printers and making threatening phone calls to employees of victim organizations [11].

Law enforcement agencies [7], including the FBI and the Australian Cyber Security Centre [3] [7], have issued warnings about BianLian’s activities [7], emphasizing the life-threatening risks associated with ransomware attacks on healthcare facilities [7]. The international community is increasingly alarmed by the group’s aggressive tactics and its focus on critical sectors [7], highlighting the urgent need for governments and private organizations to remain vigilant against the growing ransomware threat [7].

To protect against BianLian attacks [4], organizations are advised to audit remote access tools [4], implement application controls [2] [4], limit the use of RDP [4] [12], disable command-line activities [2] [4], restrict PowerShell usage [4], update PowerShell versions [4], and review accounts on domain controllers and active directories for any unauthorized access [4]. Cybersecurity agencies recommend that critical infrastructure organizations [6] [11], as well as small- to medium-sized enterprises, review and implement specific mitigations outlined in their advisories to reduce the risk and impact of BianLian and similar ransomware incidents [3], in alignment with the Cross-Sector Cybersecurity Performance Goals developed by CISA and the National Institute of Standards and Technology [3]. Victims of identity theft are also encouraged to seek assistance through identitytheft.gov.

Conclusion

The BianLian ransomware group represents a significant and evolving threat to critical infrastructure sectors worldwide. Its shift to exfiltration-based extortion underscores the need for robust cybersecurity measures and proactive defense strategies. Organizations must remain vigilant [7], implementing recommended mitigations to protect against such sophisticated cyber threats. The international community’s heightened awareness and response are crucial in combating the growing menace posed by groups like BianLian, ensuring the safety and security of vital services and information.

References

[1] https://blog.systmadeinc.com/bianlian-cyber-gang-drops-encryption-based-ransomware/
[2] https://avice.org/bianlian-ransomware-group-adopts-new-tactics-posing-significant-risk/
[3] https://www.cisa.gov/news-events/alerts/2024/11/20/cisa-and-partners-release-update-bianlian-ransomware-cybersecurity-advisory
[4] https://www.infosecurity-magazine.com/news/bianlian-ransomware-new-tactics/
[5] https://www.scworld.com/brief/joint-us-australian-advisory-sheds-more-light-on-bianlian-ransomware
[6] https://www.computerweekly.com/news/366616318/BianLian-cyber-gang-drops-encryption-based-ransomware
[7] https://news.cloudsek.com/2024/11/bianlian-ransomware-gang-shifts-to-data-extortion-law-enforcement-warns/
[8] https://community.gurucul.com/articles/ThreatResearch/StopRansomware-BianLian-Data-21-11-2024
[9] https://www.waterisac.org/portal/cisa-and-partners-release-update-bianlian-ransomware-cybersecurity-advisory
[10] https://australiancybersecuritymagazine.com.au/agencies-release-joint-advisory-on-russian-cybercriminal-group-bianlian/
[11] https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a
[12] https://www.aha.org/news/headline/2024-11-21-advisory-warns-activity-bianlian-ransomware-group