18 May 2023

BianLian ransomware group shifts to extortion only attacks, FBI warns


BianLian ransomware group shifts to extortion only attacks, FBI warns

The US Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Australian Cyber Security Centre (ACSC) released a joint security advisory detailing the tactics, techniques, and procedures (TTPs) of the BianLian ransomware operation.

The BianLian group has been operating since at least June 2022 and has actively targeted critical infrastructure organizations, including the healthcare and public health sector. It is known for developing and using ransomware in its attacks, typically engaging in double extortion tactics, where sensitive private data is exfiltrated from victims’ networks before files are encrypted. The group threatens to leak the stolen data if the ransom is not paid.

However, starting January 2023, the threat actor has changed its attack methods focusing exclusively on exfiltration-based extortion, the three agencies said.

The group gains access to victim systems through valid Remote Desktop Protocol (RDP) credentials and deploys a custom backdoor specific to each victim, as well as commercially available remote access tools like TeamViewer, Atera Agent, SplashTop, and AnyDesk.  

It also uses open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrates victim data via File Transfer Protocol (FTP), Rclone, or Mega. PowerShell and Windows Command Shell are used to disable antivirus software such as Windows Defender and Anti-Malware Scan Interface (AMSI), and the registry is modified to uninstall services such as Sophos SAVEnabled, SEDenabled, and SAVService services.

To gain a better understanding of the victim’s environment the group uses network scanners and other tools such as Advanced Port Scanner, SoftPerfect Network Scanner (netscan.exe), SharpShares, and PingCastle.

“BianLian group engages in additional techniques to pressure the victim into paying the ransom; for example, printing the ransom note to printers on the compromised network. Employees of victim companies also reported receiving threatening telephone calls from individuals associated with BianLian group,” the advisory said.

To minimize the risk of attacks organizations are advised to implement mitigations provided in the security bulletin such as auditing remote access tools, reviewing logs for execution of remote access software, implementing application controls to manage and control execution of software, limiting the use of RDP and other remote desktop services, disabling command-line and scripting activities and permissions, and restricting the use of PowerShell.

Back to the list

Latest Posts

Cyber Security Week in Review: May 24, 2024

Cyber Security Week in Review: May 24, 2024

In brief: Google fixes Chrome zero-day, a backdoor found in JAVS software, and more.
24 May 2024
Chinese APTs increasingly using ORB networks to mask attack infrastructure

Chinese APTs increasingly using ORB networks to mask attack infrastructure

Mandiant reports that it is actively monitoring several ORB networks, with the most notable being SPACEHOP and FLORAHOX.
23 May 2024
Threat actors exploit vulnerable drivers to disable EDRs in cryptojacking attack

Threat actors exploit vulnerable drivers to disable EDRs in cryptojacking attack

Ghostengine deploys several modules to tamper with security tools, establish a backdoor, and ensure software updates are in place.
22 May 2024