The BianLian ransomware group has pivoted its strategy to concentrate exclusively on data theft extortion, according to a recent update from the U.S. Cybersecurity & Infrastructure Security Agency (CISA). This development aligns with input from the FBI and the Australian Cyber Security Centre in an advisory that sheds light on the group’s evolving tactics.

Shift in Tactics

Previously highlighted in a joint advisory issued in May, BianLian's operators have evolved from using file encryption to extensively utilizing data theft for extortion. This transition became prominent after Avast released a decryptor for BianLian in January 2023. Though encryption methods were still observed at the end of 2023, the group reportedly committed fully to data extortion by January 2024. A statement from CISA emphasizes this shift: "BianLian group originally employed a double-extortion model... however, they shifted primarily to exfiltration-based extortion around January 2023 and shifted to exclusively exfiltration-based extortion around January 2024.”

Techniques and Operations

BianLian's updated methodologies include sophisticated techniques targeting Windows and ESXi systems, potentially using the ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) for infiltration. The group employs various tactics to obscure activities, such as: - Utilizing Ngrok and customized Rsocks for SOCKS5 tunnels to hide traffic - Exploiting CVE-2022-37969 for privilege escalation on Windows 10 and 11 - Employing UPX packing to avoid detection - Renaming processes after legitimate Windows services to evade security measures - Establishing Domain Admin and Azure AD Accounts for network infiltration - Deploying PowerShell scripts to compress and exfiltrate data To exert pressure on victims, BianLian not only uses Tox IDs and ransom notes but also targets network-connected printers and contacts company employees directly.

Recommendations

CISA advocates for stringent security measures, including the limitation of Remote Desktop Protocol (RDP) usage, disabling command-line scripting, and restricting PowerShell access on Windows systems.

Recent Activity

BianLian, active since 2022, has targeted 154 organizations, predominantly smaller enterprises, as listed on their dark web platform. Recent high-profile infringements have involved Air Canada, Northern Minerals, and Boston Children's Health Physicians. Additionally, BianLian has hinted at breaches affecting a global sportswear company, a major clinic in Texas, an international mining firm, a financial advisory entity, and a significant dermatology practice, though these claims await confirmation.

The link has been copied!