BianLian Ransomware: A Shift to Data Extortion
The cybersecurity landscape is constantly evolving, and ransomware groups are no exception. A recent joint advisory from the U.S. Cybersecurity & Infrastructure Security Agency (CISA), the FBI, and the Australian Cyber Security Centre reveals a significant shift in the tactics employed by the BianLian ransomware operation. This group, once known for its double-extortion model (encrypting files and stealing data), has now transitioned exclusively to data theft and extortion. This change marks a concerning development in the ongoing fight against ransomware.
Technical Details of the BianLian Ransomware Evolution
The advisory, an update to a May 2024 release, details BianLian’s evolution.
“BianLian group originally employed a double-extortion model in which they encrypted victims’ systems after exfiltrating the data; however, they shifted primarily to exfiltration-based extortion around January 2023 and shifted to exclusively exfiltration-based extortion around January 2024,” the CISA advisory states.
This shift, according to the advisory, likely stems from the release of a decryptor by Avast in January 2023, rendering their encryption efforts less effective. While some BianLian attacks involving encryption were observed towards the end of 2023, the advisory emphasizes the group’s complete transition to data extortion by January 2024.
The BianLian ransomware group’s technical arsenal is sophisticated and constantly evolving. Their techniques include:
- Initial Access: Targeting Windows and ESXi infrastructure, potentially leveraging the ProxyShell exploit chain (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).
- Traffic Obfuscation: Utilizing Ngrok and modified Rsocks to mask traffic destinations via SOCK5 tunnels.
- Privilege Escalation: Exploiting CVE-2022-37969 to gain elevated privileges on Windows 10 and 11 systems.
- Evasion Techniques: Employing UPX packing to bypass detection and renaming binaries and tasks to mimic legitimate Windows services and security products.
- Data Exfiltration and Persistence: Creating Domain Admin and Azure AD accounts, accessing networks via SMB, installing webshells on Exchange servers, and using PowerShell scripts to compress data before exfiltration.
- Extortion Methods: Including a new Tox ID for victim communication in ransom notes, printing ransom notes on compromised network printers, and directly contacting victim company employees to pressure payment.
The group attempts to mask its Russian origins by using foreign-language names in its operations, but intelligence agencies remain confident about its ties to Russia.
Impact and Notable Victims of BianLian Ransomware Attacks
BianLian’s activity has been prolific since 2022, with its dark web extortion portal listing over 154 victims. While many victims are small to medium-sized organizations, notable breaches include attacks against Air Canada, Northern Minerals, and Boston Children’s Health Physicians. The group has also claimed recent attacks on a global Japanese sportswear manufacturer, a prominent Texas clinic, a global mining group, an international financial advisory firm, and a major U.S. dermatology practice, though these claims remain unconfirmed.
CISA Recommendations for Mitigation
Given the BianLian ransomware group’s shift to data exfiltration and its sophisticated techniques, CISA recommends several mitigation strategies:
- Restrict RDP Access: Severely limit the use of Remote Desktop Protocol (RDP) to only authorized users and devices.
- Disable Unnecessary Permissions: Disable command-line and scripting permissions where possible.
- Limit PowerShell Use: Restrict the use of PowerShell on Windows systems to authorized personnel and tasks.
Implementing these recommendations, along with robust security practices, is crucial for organizations seeking to protect themselves against BianLian and other sophisticated ransomware threats. The ongoing evolution of ransomware tactics underscores the need for constant vigilance and proactive security measures.
