Main Menu
,

BianLian Ransomware: Shadow Data Extortion Group

The BianLian ransomware group represents a significant and growing threat to organizations worldwide. Operating with precision and stealth, they have targeted critical infrastructure and private sector companies, exfiltrating sensitive data and demanding exorbitant ransoms. Their shift from a double-extortion model to data exfiltration alone underscores their evolving tactics and the escalating danger they pose. Understanding their methods is crucial to mitigating the risk.
Facebook Twitter Youtube Linkedin
BianLian Ransomware: Shadow Data Extortion Group
Table of Contents
    Add a header to begin generating the table of contents

    Overview of BianLian Ransomware:

    • Primarily a data extortion group, shifting from a double-extortion model to solely exfiltration-based extortion.
    • Likely based in Russia, using a foreign-language name to obfuscate origin.
    • Targets critical infrastructure and private sector organizations in the US and Australia.
    • Leverages compromised RDP credentials, phishing, and exploit chains for initial access.
    • Employs a wide range of techniques for lateral movement, persistence, and data exfiltration.
    • Uses various tools for data exfiltration, including FTP, Rclone, and Mega.
    • Threatens to publicly release stolen data if ransom is not paid.
    • Active since at least June 2022.

    Known Aliases

    BianLian is the only documented alias of this malware.

    Known High-Profile Victims:

    Since June 2022, BianLian threat actors have targeted organizations across multiple U.S. critical infrastructure sectors, as well as Australian critical infrastructure, professional services, and property development industries. There is no publicly available information about BianLian’s victims.

    Country of Origin

    Likely Russia. The group attempts to obfuscate its location by using a foreign-language name. Multiple Russia-based affiliates are also implicated.

    MITRE ATT&CK Tactics and Techniques of BianLian Ransomware:

    BianLian employs a wide range of techniques. Key tactics and techniques include:

    • Initial Access: RDP exploitation using compromised credentials (T1078, T1133), phishing (T1566), and exploitation of public-facing applications, potentially leveraging the ProxyShell exploit chain (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) (T1190).
    • Execution: PowerShell (T1059.001), Windows Command Shell (T1059.003), Scheduled Tasks (T1053.005).
    • Persistence: Account manipulation (T1098), installation of remote management and access software (T1105, T1219), webshells (T1505.003), creation of domain admin accounts (T1136.002), and Azure AD accounts (T1136.003).
    • Privilege Escalation: Exploitation of CVE-2022-37969 (T1068).
    • Defense Evasion: Disabling antivirus tools (T1562.001), modifying the Windows Registry (T1112), renaming binaries and scheduled tasks (T1036.004), packing executables with UPX (T1027.002), use of reverse proxy tools like Ngrok and modified Rsocks (T1090, T1090.002).
    • Discovery: Use of network scanners (Advanced Port Scanner, SoftPerfect Network Scanner) (T1046, T1135), SharpShares, PingCastle (T1482), and native Windows tools to query users, groups, domain controllers, and network devices (T1033, T1069.002, T1087.002, T1018). PowerShell scripts are also used to list running processes, installed software, and local drives (T1057, T1518, T1082).
    • Credential Access: Harvesting credentials from LSASS memory (T1003.001), accessing NTDS.dit (T1003.003), using Impacket tools (secretsdump.py), and using SessionGopher (T1552.004).
    • Lateral Movement: PsExec, RDP with valid accounts (T1021.001), SMB connections (T1021.002).
    • Collection: Use of malware (system.exe) to enumerate registry values and files, copy clipboard data (T1012, T1083, T1115), and PowerShell scripts to compress/encrypt data (T1560).
    • Exfiltration: FTP (T1048), Rclone (T1537), Mega (T1567.002).
    • Impact: Data encryption (T1486) (prior to January 2024), data extortion.

    Common Methods of Infiltration of BianLian Ransomware:

    • Exploited Vulnerabilities: RDP vulnerabilities, ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207), CVE-2022-37969, and potentially Netlogon vulnerability (CVE-2020-1472).
    • Phishing: Used to obtain valid user credentials.
    • Malware: Custom backdoors (written in Go), encryptor.exe (prior to January 2024), system.exe.

    Additional Information about BianLian Ransomware:

    BianLian initially employed a double-extortion model (encryption and data exfiltration). However, they shifted primarily to exfiltration-based extortion around January 2023 and exclusively to exfiltration-based extortion around January 2024. They use various methods to pressure victims into paying ransoms, including threatening to publicly release stolen data, sending threatening emails and phone calls, and printing ransom notes on compromised network printers. The group uses Tor hidden services (.onion) for communication and data leaks. The ransom notes provide Tox IDs and alternative contact email addresses.

    Trending
    CISA Tags Windows and Cisco Vulnerabilities as Actively Exploited
    Trinity Ransomware: The Enigma of the .trinitylock
    Freddie Mac Data Breach: Social Security Numbers Compromised
    Belgian Intelligence Service Breach: Chinese Hackers Under Investigation
    Via Credit Union Data Breach Impacts Thousands: Indiana Credit Unions Face Cybersecurity Challenges
    Angel One Data Leak: AWS Breach Exposes User Data
    This Week In Cybersecurity: 24th February to 28th February
    State of Code Security in 2025: A Wiz Report Reveals Critical Vulnerabilities
    Serbian Police Exploit Cellebrite Zero-Day to Unlock Android Phones
    Ransomware Groups Use BYOVD Attacks Exploiting Paragon Partition Manager Bug

    Daily Briefing Newsletter

    Subscribe to the Daily Security Review Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

    Related Posts
    OnlyFans Cyberattacks: Fake CAPTCHAs and Malware Distribution Threaten Users

    OnlyFans Cyberattacks: Fake CAPTCHAs and Malware Distribution Threaten Users

    Vo1d Botnet Surpasses 1.59 Million Infected Android TVs Across 226 Countries

    Vo1d Botnet Surpasses 1.59 Million Infected Android TVs Across 226 Countries

    ClickFix Attack Deploys Havoc C2 via Microsoft SharePoint

    ClickFix Attack Deploys Havoc C2 via Microsoft SharePoint

    CISA Tags Windows and Cisco Vulnerabilities as Actively Exploited

    CISA Tags Windows and Cisco Vulnerabilities as Actively Exploited

    Trinity Ransomware: The Enigma of the .trinitylock

    Trinity Ransomware: The Enigma of the .trinitylock

    Freddie Mac Data Breach: Social Security Numbers Compromised

    Freddie Mac Data Breach: Social Security Numbers Compromised