The US Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Australian Cyber Security Centre (ACSC) released a joint security advisory detailing the tactics, techniques, and procedures (TTPs) of the BianLian ransomware operation.

The BianLian group has been operating since at least June 2022 and has actively targeted critical infrastructure organizations, including the healthcare and public health sector. It is known for developing and using ransomware in its attacks, typically engaging in double extortion tactics, where sensitive private data is exfiltrated from victims’ networks before files are encrypted. The group threatens to leak the stolen data if the ransom is not paid.

However, starting January 2023, the threat actor has changed its attack methods focusing exclusively on exfiltration-based extortion, the three agencies said.

The group gains access to victim systems through valid Remote Desktop Protocol (RDP) credentials and deploys a custom backdoor specific to each victim, as well as commercially available remote access tools like TeamViewer, Atera Agent, SplashTop, and AnyDesk.  

It also uses open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrates victim data via File Transfer Protocol (FTP), Rclone, or Mega. PowerShell and Windows Command Shell are used to disable antivirus software such as Windows Defender and Anti-Malware Scan Interface (AMSI), and the registry is modified to uninstall services such as Sophos SAVEnabled, SEDenabled, and SAVService services.

To gain a better understanding of the victim’s environment the group uses network scanners and other tools such as Advanced Port Scanner, SoftPerfect Network Scanner (netscan.exe), SharpShares, and PingCastle.

“BianLian group engages in additional techniques to pressure the victim into paying the ransom; for example, printing the ransom note to printers on the compromised network. Employees of victim companies also reported receiving threatening telephone calls from individuals associated with BianLian group,” the advisory said.

To minimize the risk of attacks organizations are advised to implement mitigations provided in the security bulletin such as auditing remote access tools, reviewing logs for execution of remote access software, implementing application controls to manage and control execution of software, limiting the use of RDP and other remote desktop services, disabling command-line and scripting activities and permissions, and restricting the use of PowerShell.