HQ/EMEAFind out how we can help your business
The notorious BianLian ransomware group has shifted its tactics into an operation prioritising data theft.
This development is an update to the joint advisory that several law enforcement agencies issued in May. The advisory warned about BianLian’s shifting tactics, including using stolen Remote Desktop Protocol (RDP) credentials, custom Go-based backdoors, commercial remote access tools, and targeted Windows Registry modifications.
The BianLian ransomware operators have turned their backs on file encryption techniques.
According to investigations, the BianLian ransomware group has shifted toward data theft extortion, abandoning file encryption techniques after the recent release of its decryptor in January 2023.
The group initially used double-extortion tactics, in which they encrypted victims’ systems after stealing data from its targets. However, CISA’s update claimed that the attackers shifted primarily to exfiltration-based extortion around January 2023 and exclusively to exfiltration-based extortion around January 2024.
The advisory has also delved into another concern: the malicious group now attempts to conceal its origins by utilising foreign-language names. Still, intelligence agencies believe the core operators and several affiliates are based in Russia.
The advisory has been updated to reflect the ransomware gang’s most recent TTPs, showing its complex and multifaceted approach to cybercriminal operations.
The organisation targets Windows and ESXi infrastructure, using vulnerabilities like the ProxyShell attack chain to gain early access. They employ Ngrok and modified Rsocks with SOCK5 tunnels to conceal traffic destinations.
On Windows 10 and 11 computers, the ransomware group acquires privilege escalation through CVE-2022-37969 exploitation, while UPX packaging is used to avoid detection methods. The gang further bypasses security detections by renaming binaries and activities to resemble official Windows services and security programs.
Their tasks include generating Azure AD accounts and Domain Admin, setting up network logins via SMB, and deploying webshells on Exchange servers. Additionally, they employ PowerShell programs to compress gathered data before exfiltration.
The group’s ransom note also received updates since it now has a new Tox ID for victim communication. The group prints ransom notes on network-connected printers to put more pressure on victims and sometimes calls targeted business employees directly.
The joint advisory from the federal law enforcement agencies strongly recommends limiting RDP usage, blocking command-line and scripting rights, and restricting PowerShell use on Windows computers to prevent or mitigate the new BianLian ransomware operations.
