The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory, along with the Federal Bureau of Investigation (FBI) and the Australian Cyber Security Centre (ACSC), warning organizations of attacks made by ransomware developer and data extortion group, BianLian.
BianLian has been active since 2022 and typically employs a double-extortion model whereby it encrypts a victim’s systems and steals their data, threatening to release the acquired data if payment is not made. However, in January, the group shifted its attack methods to focus on exfiltration-based extortion rather than leading with encryption, according to the alert.
The gang uses stolen remote desktop protocol (RDP) credentials to access victims’ networks and open-source tools and command-line scripting to navigate it. Finally, it exfiltrates data through File Transfer Protocol (FTP), Rclone, or Mega before extorting its victims.
In March, cybersecurity service provider Redacted released research on the group, detailing its high-level operational security and skill penetration, and its continued growth while operating as a ransomware organization. BianLian’s tactics, techniques, and procedures (TTPs) have allowed the gang to target critical infrastructure organizations in the US and Australia, as well as professional services and property development organizations.
Responding to the advisory, Tom Kellerman, senior vice president of cyberstrategy at Contrast Security, said that “extortion via data leak is the modus operandi of choice” for BianLian. Kellerman attributed this shift to the successful collaboration between law enforcement and the cyber community to decrypt the ransomware and disrupt the infrastructure that sustains it.
CISA has urged organizations to implement mitigations provided in the advisory, such as auditing remote access tools, reviewing logs for execution of remote access software, and enabling enhanced PowerShell logging, in response to these attacks.