Connect with us

Tech News

BianLian cyber gang drops encryption-based ransomware

Published

on

BianLian cyber gang drops encryption-based ransomware

The Australian Cyber Security Centre (ACSC) and the United States’ Cyber Security and Infrastructure Security Agency (CISA) have released updated intelligence on the activities of the dangerous BianLian ransomware operation. The gang has been observed to rapidly evolve their tactics, techniques, and procedures (TTPs).

BianLian, along with LockBit, gained prominence in 2022 following the decline of the Conti crew. Despite its Chinese name, BianLian is believed to be based in Russia. The gang has targeted critical national infrastructure (CNI) operators in Australia, the US, and the UK.

Initially, BianLian used the double extortion model, encrypting victims’ systems and threatening to leak their data if a ransom was not paid. However, in 2023, the gang shifted to encryption-based extortion, leaving systems intact and warning of consequences if payment was not made. Since January 2024, BianLian has exclusively used this method.

The ACSC, FBI, and CISA urge organizations to implement recommended mitigations to reduce the risk of ransomware attacks like BianLian.

New techniques

BianLian has abandoned traditional ransomware locker for encryption and updated its ransom note accordingly. The gang now applies high-pressure tactics, such as sending ransom notes to office printers and making threatening phone calls to employees.

Other updated techniques include targeting public-facing applications, using the ProxyShell exploit chain, implanting custom backdoors, exploiting vulnerabilities like CVE-2022-37969, and evading detection tools by renaming binaries and packing executables using UPX.

To escalate privileges, BianLian leverages various tools like PsExec, RDP, SMB protocol, webshells on Exchange servers, and creating Azure AD accounts.

See also  Amazon hit with fresh UK class action-style suit -- $3.4BN in competition damages sought for 200,000+ sellers

Know your enemy

Andrew Costis, engineering manager of the Adversary Research Team at AttackIQ, emphasizes the importance of understanding and testing against specific TTPs used by groups like BianLian. The shift to exfiltration-based extortion could be a strategic move by the operators, potentially aiming to target more victims efficiently.

Costis notes that the change in tactics suggests a de-prioritization of encryption and double extortion, indicating a shift in values within the ransomware landscape. It remains to be seen if other groups will follow suit.

Trending