BianLian Ransomware Update: November 25, 2024
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Australian Cyber Security Centre (ASD’s ACSC) have released a significant update to their advisory on the BianLian ransomware group. This update follows a series of recent attacks targeting critical infrastructure sectors in both the U.S. and Australia. The advisory includes new tactics, techniques, and procedures (TTPs), and indicators of compromise (IoCs) gathered through extensive investigations.
BianLian Ransomware Updated Tactics and Techniques
The BianLian ransomware group, believed to be based in Russia with numerous Russia-based affiliates, has demonstrated a sophisticated and evolving attack methodology. The agencies’ report highlights several key aspects of their operations:
- Initial Access: BianLian actors frequently exploit compromised Remote Desktop Protocol (RDP) credentials, often obtained from initial access brokers or phishing campaigns. Recent activity also indicates targeting of public-facing applications on Windows and ESXi infrastructure, potentially leveraging the ProxyShell exploit chain (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207).
- Lateral Movement and Persistence: Once inside a network, BianLian deploys custom backdoors written in Go, installs remote management and access software, and creates or modifies local administrator accounts. The use of the reverse proxy tool Ngrok and/or a modified version of the open-source Rsocks utility for masking C2 traffic has also been observed. Exploitation of CVE-2022-37969 for privilege escalation on Windows 10 and 11 systems is another confirmed tactic.
- Data Exfiltration and Extortion: The group initially employed a double-extortion model, encrypting systems and exfiltrating data. However, they have shifted primarily to exfiltration-based extortion since January 2023, and exclusively so since January 2024. Data exfiltration is achieved via File Transfer Protocol (FTP), Rclone, or Mega. BianLian threatens to release stolen data—financial, client, business, technical, and personal files—if a ransom is not paid. Additional pressure tactics include printing ransom notes and making threatening phone calls.
- Obfuscation and Evasion: BianLian actors rename binaries and scheduled tasks to mimic legitimate Windows services or security products. They also utilize UPX to pack executables, attempting to evade detection. PowerShell is used extensively for discovery and reconnaissance, along with tools like SessionGopher for extracting session information from remote access tools (RATs). The ASD’s ACSC has also noted the use of network login type 3 connections (SMB) and the creation of domain admin and Azure AD accounts for lateral movement and persistence. Data compression and/or encryption are performed before exfiltration.
- The Shift to Exfiltration-Based Extortion: As Darren Williams, founder and CEO of BlackFog, notes, “This continues a major trend we have seen through 2024 where 94% of all ransomware now focuses on data exfiltration. This is not a surprise given the value of intellectual property, customer, and personal data. Data exfiltration allows criminals to leverage multiple pathways to secure payment from direct extortion of the victim or the subject of the data themselves. Even if the victims pay there is considerable evidence this is never deleted, but is rather traded on the Dark Web for years to come.”
Mitigations and Recommendations
To counter the BianLian ransomware threat, the agencies recommend implementing the following mitigations:
- Strengthening Cybersecurity Posture: Organizations should adopt a comprehensive approach to cybersecurity based on the cross-sector cybersecurity performance goals (CPGs) developed by CISA and NIST. These CPGs provide a foundational set of practices and protections.
- Testing and Validation: Regularly test and validate security controls against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework. This includes assessing how existing security controls perform against the specific ATT&CK techniques employed by BianLian.
The updated BianLian ransomware advisory underscores the evolving nature of cyber threats and the urgent need for organizations to adapt their security strategies accordingly. The focus on data exfiltration highlights the critical importance of robust data protection measures and proactive threat detection capabilities. The detailed TTPs provided in the advisory offer valuable insights for organizations seeking to improve their defenses against this persistent and dangerous threat actor.
