US and Australian government agencies have urged critical infrastructure organizations to protect against new tactics employed by the BianLian ransomware group.
These updated tactics, techniques and procedures (TTPs) include shifting exclusively to exfiltration-based extortion and leveraging new approaches for initial access, command and control, and defense evasion.
The joint advisory from the FBI, Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) is an update to a May 2023 publication by the agencies about BianLian.
The BianLian Ransomware Group
BianLian has been observed targeting organizations in multiple US critical infrastructure sectors since June 2022.
In Australia, the group has predominately targeted private enterprises, this did include at least one critical infrastructure organization.
It is believed to have been behind an attack on Australian mining company Northern Minerals in June 2024.
BianLian is a ransomware developer, deployer, and data extortion cybercriminal group, likely based in Russia with multiple Russia-based affiliates.
US and Australian authorities believe the group attempts to misattribute location and nationality by choosing foreign-language names, with the goal of complicating attribution methods.
Shift to Exfiltration-Based Extortion
The November 2024 advisory noted that BianLian originally employed a double-extortion model in which it exfiltrated financial, client, business, technical and personal files for leverage and encrypted victims’ systems.
However, the group was observed shifting primarily to exfiltration-based extortion around January 2023 and exclusively so from January 2024.
Following initial access, BianLian actors exfiltrate victim data via File Transfer Protocol (FTP), Rclone or Mega. They then extort money from victims by threatening to release data if payment is not made.
BianLian also warn of financial, business and legal ramifications if payment is not made.
Typically, the group leaves victims’ systems intact, not attempting to deliver a ransomware payload.
Read now: Ransomware Groups Prioritize Defense Evasion for Data Exfiltration
New Initial Access and Persistence Techniques
Initial Access
BianLian actors have expanded their initial access techniques. In addition to leveraging compromised Remote Desktop Protocol (RDP) credentials, they have recently been observed targeting public-facing applications of both Windows and ESXi infrastructure, possibly leveraging the ProxyShell exploit chain to gain initial access.
Command and Control
To establish command and control, BianLian may now be using the reverse proxy tool Ngrok and/or a modified version of the open-source Rsocks utility. Previously, group actors focused on implanting a custom backdoor specific to each victim written in Go for this purpose.
Defense Evasion
The group has evolved its defense evasion tactics beyond using PowerShell and Windows Command Shell to disable antivirus tools. It has recently been observed renaming binaries and scheduled tasks after legitimate Windows services or security products.
The group may also pack executables using UPX to conceal their code in an attempt to bypass heuristic and signature-based detection methods, the agencies said.
Persistence and Lateral Movement
BianLian group actors are known to use PsExec and RDP with valid accounts for lateral movement.
Several other tactics have also been observed. In one case, BianLian actors created multiple domain admin accounts for use in lateral movement to the domain controller and created multiple Azure AD accounts to maintain access to the victim systems.
In a separate compromise, the group installed webshells for persistence on a victim’s Exchange server.
Exfiltration
BianLian searches for sensitive files using PowerShell scripts and exfiltrates them for data extortion.
It commonly uses File Transfer Protocol (FTP) for exfiltration. The group has also been observed installing Rclone and other files in generic and typically unchecked folders such as programdata\vmware and music folders, as well as using Mega file-sharing service to exfiltrate victim data.
Prior to January 2024, BianLian used an encryptor (encryptor.exe) that modified all encrypted files to have the .bianlian extension and would create a ransom note in each affected directory.
Newer ransomware notes simply state that BianLian group has exfiltrated data and threaten to leak the exfiltrated data if the ransom is not paid
How to Protect Against BianLian Attacks
The FBI, CISA and ASD’s ACSC issued specific recommendations for organizations to help them defend against BianLian tactics, alongside more general controls such as multi-factor authentication and privileged access management. These include:
- Auditing remote access tools on your network and reviewing logs for execution of remote access software to detect abnormal use of programs running as a portable executable
- Implementing application controls to manage and control execution of software, including allowlisting remote access programs
- Strictly limiting the use of RDP and other remote desktop services
- Disabling command-line and scripting activities and permissions
- Restricting the use of PowerShell, using Group Policy, and only grant to specific users on a case-by-case basis
- Update Windows PowerShell or PowerShell Core to the latest version and uninstall all earlier PowerShell versions
- Configuring the Windows Registry to require User Account Control (UAC) approval for any PsExec operations
- Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts