Security news that informs and inspires

CISA Warns BianLian Ransomware Group Has Moved to Extortion Model

The BianLian ransomware group, which has targeted critical infrastructure organizations in the United States and Australia, has changed up its business model and is moving away from the ransomware grift and toward a simple data theft and extortion model.

BianLian has been active for about a year and is one of the groups that develops and deploys its own ransomware strain, along with performing data theft and extortion. The group has attacked organizations in several critical infrastructure sectors in the U.S. and also has hit companies in the professional services sector and other industries. On Tuesday, the FBI, CISA, and the Australian Cyber Security Center issued a new advisory about BianLian’s activities, and said that the group is almost exclusively running data exfiltration and extortion operations.

“BianLian group originally employed a double-extortion model in which they exfiltrated financial, client, business, technical, and personal files for leverage and encrypted victims’ systems. In 2023, FBI observed BianLian shift to primarily exfiltration-based extortion with victims’ systems left intact, and ACSC observed BianLian shift exclusively to exfiltration-based extortion. BianLian actors warn of financial, business, and legal ramifications if payment is not made,” The advisory says.

“BianLian group engages in additional techniques to pressure the victim into paying the ransom; for example, printing the ransom note to printers on the compromised network. Employees of victim companies also reported receiving threatening telephone calls from individuals associated with BianLian group.”

The data theft and extortion model has been an increasingly popular one among ransomware groups in the past few years, as the number of victim organizations that pay traditional ransomware demands continues to decline. In most of these scenarios, the actors gain initial access, move laterally across the network through various means, find sensitive data and exfiltrate it, and then deploy the ransomware and issue their demands. If the victim organization doesn’t pay the initial ransom demand, then the group will threaten to leak stolen data online. Many actors use the double extortion model, wherein they demand separate payments for decrypting the affected systems and for not leaking stole information.

BianLian appears to have shifted its focus mainly to the data theft and extortion portion of the program. The group usually gains initial access to a network through the use of stolen valid RDP credentials, which they may get through phishing or from an initial access broker. Once on a network, they then droop a custom Go backdoor and install remote management software to remain persistent. From there, the BianLian actors move laterally and use a variety of tools to find other valid credentials, domain controllers, and valuable information.

“BianLian group actors search for sensitive files using PowerShell scripts and exfiltrate them for data extortion. Prior to January 2023, BianLian actors encrypted files after exfiltration for double extortion,” the advisory says.

“BianLian group uses File Transfer Protocol and Rclone, a tool used to sync files to cloud storage, to exfiltrate data. FBI observed BianLian group actors install Rclone and other files in generic and typically unchecked folders such as programdata\vmware and music folders. ACSC observed BianLian group actors use Mega file-sharing service to exfiltrate victim data.”

CISA recommends that organizations restrict the use of RDP and other remote desktop services as much as possible to limit the initial access options for this group and other ransomware actors.