BianLian Ransomware Gang Abandons Encryption, Goes All-In on Data Extortion

BianLian Ransomware Gang Abandons Encryption, Goes All-In on Data Extortion

BianLian Ransomware: Evolution and Current Threat Profile

Key Development:
BianLian has transformed from a traditional ransomware operation into a dedicated data theft extortion group as of January 2024, according to a joint advisory from U.S. CISA, FBI, and Australian Cyber Security Centre.

Operational Changes:
– Abandoned encryption-based attacks following Avast’s decryptor release
– Now focuses exclusively on data exfiltration and extortion
– Operates primarily from Russia, using foreign-language names as cover

Technical Tactics:
1. Attack Methods:
– Targets Windows and ESXi systems
– Exploits ProxyShell vulnerabilities
– Uses modified Rsocks and Ngrok for traffic masking
– Leverages UPX packing for detection evasion

2. Infiltration Techniques:
– Creates administrative accounts
– Deploys webshells on Exchange servers
– Uses PowerShell for data compression
– Exploits CVE-2022-37969 for privilege escalation

Recent Activity:
– 154 victims listed on dark web portal
– Notable targets include Air Canada, Northern Minerals, and Boston Children’s Health Physicians
– Multiple pending claims against global organizations

Security Recommendations:
– Limit RDP usage
– Disable command-line scripting
– Restrict PowerShell access
– Implement robust access controls

This threat actor remains highly active and continues to evolve its tactics, primarily targeting small to medium-sized organizations while occasionally striking larger enterprises.

Share This Article