BianLian Ransomware Attack on National Publisher Services LLC

Incident Date:

May 26, 2024

World map

Overview

Title

BianLian Ransomware Attack on National Publisher Services LLC

Victim

National Publisher Services LLC

Attacker

Bianlian

Location

New York, USA

New York, USA

First Reported

May 26, 2024

BianLian Ransomware Attack on National Publisher Services LLC

Company Profile and Industry Standout

National Publisher Services LLC (NPS Media Group) is a publishing company based in the United States. Known for its focus on magazine subscriptions and other publishing activities, NPS provides print and digital solutions to media companies. Despite its small size, with only 2-10 employees, NPS has made a significant mark in the publishing industry. The company reported revenue of $7.8 million, highlighting its substantial role within its niche market.

Vulnerabilities and Targeted Attack

The company's prominence and specific sector focus made it an attractive target for ransomware groups like BianLian. The publishing industry's reliance on digital infrastructure for managing subscriptions and publishing activities presents various vulnerabilities, particularly when robust cybersecurity measures are not in place.

Attack Overview

In a recent cyber attack, BianLian claimed responsibility for compromising National Publisher Services LLC. The attackers extracted 75 GB of sensitive data, including financial records, HR information, client and customer data, trade secrets, personally identifiable information (PII), and extensive internal and external email correspondence. The group's modus operandi involves data-theft-based extortion, where they threaten to release the stolen data publicly unless a ransom is paid.

Details of the Ransomware Group

BianLian has evolved from a traditional ransomware group into a sophisticated data extortion operation. Initially known for encrypting victims' files and demanding ransom for decryption, BianLian has shifted focus towards purely data theft. This tactic involves stealing data and threatening to leak it unless the ransom is paid, a method that has proven to be less labor-intensive and more effective in coercing victims.

The group gains initial access through compromised Remote Desktop Protocol (RDP) credentials or exploiting known vulnerabilities. They plant custom backdoors, disable antivirus software, and install remote management tools to maintain persistence. These tactics enable them to steal data efficiently while evading detection by standard cybersecurity measures.

Penetration and Persistence Tactics

Upon infiltrating the target's network, BianLian uses a variety of techniques to ensure continued access and control. These include creating or activating administrator accounts, disabling security software, and modifying system registries. By using tools like PowerShell and Rclone, the group can move laterally within the network and siphon significant amounts of data without triggering standard security alerts.

Implications and Recommendations

The attack on National Publisher Services LLC underscores the growing threat posed by ransomware groups that focus on data theft. Organizations are advised to adopt enhanced cybersecurity measures, including stringent access controls, regular audits of remote access tools, and comprehensive endpoint detection and response solutions. These steps can help mitigate the risks associated with sophisticated cyber threat actors like BianLian.

Sources

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.