In an advisory this week, the US Cybersecurity and Infrastructure Security Agency (CISA) alongside the Federal Bureau of Investigation (FBI) and the Australian Cyber Security Centre (ACSC) are warning organizations of attacks made by the ransomware developer and data extortion group known as BianLian.
BianLian has been active since 2022. In the past, the ransomware gang has focused on using a double-extortion model where they encrypt victims’ systems and steal data, threatening to release the acquired data if the payment is not received. In January though, BianLian shifted its attack methods to focus primarily on exfiltration-based extortion rather than leading with encryption, the alert warned.
The group uses stolen remote desktop protocol (RDP) credentials to access victims’ networks, as well as open-source tools and command-line scripting to move around the network. Then it exfiltrates data through File Transfer Protocol (FTP), Rclone, or Mega. After this is completed, the group goes on to extort its victims.
Cybersecurity service provider [redacted] released research on the group in March detailing its high-level operational security and skill penetration, and its continued growth while operating as a ransomware organization. It’s these tactics, techniques, and procedures (TTPs) that have allowed the gang to target critical infrastructure organizations in the US and Australia as well as professional services and property development organizations.
“More often than not, extortion via data leak is the modus operandi of choice,” says Tom Kellerman, senior vice president of cyberstrategy at Contrast Security, in response to the advisory. “The shift is due to the successful collaboration between law enforcement and the cyber community to not only decrypt the ransomware but to disrupt the infrastructure that sustains it.”
CISA urges organizations to implement the mitigations it has provided in the advisory, such as auditing remote access tools, reviewing logs for execution of remote access software, and enabling enhanced PowerShell logging, in light of these attacks.