BianLian Ransomware Attack on National Publisher Services LLC

Company Profile and Industry Standout

National Publisher Services LLC (NPS Media Group) is a publishing company based in the United States. Known for its focus on magazine subscriptions and other publishing activities, NPS provides print and digital solutions to media companies. Despite its small size, with only 2-10 employees, NPS has made a significant mark in the publishing industry. The company reported revenue of $7.8 million, highlighting its substantial role within its niche market.

Vulnerabilities and Targeted Attack

The company's prominence and specific sector focus made it an attractive target for ransomware groups like BianLian. The publishing industry's reliance on digital infrastructure for managing subscriptions and publishing activities presents various vulnerabilities, particularly when robust cybersecurity measures are not in place.

Attack Overview

In a recent cyber attack, BianLian claimed responsibility for compromising National Publisher Services LLC. The attackers extracted 75 GB of sensitive data, including financial records, HR information, client and customer data, trade secrets, personally identifiable information (PII), and extensive internal and external email correspondence. The group's modus operandi involves data-theft-based extortion, where they threaten to release the stolen data publicly unless a ransom is paid.

Details of the Ransomware Group

BianLian has evolved from a traditional ransomware group into a sophisticated data extortion operation. Initially known for encrypting victims' files and demanding ransom for decryption, BianLian has shifted focus towards purely data theft. This tactic involves stealing data and threatening to leak it unless the ransom is paid, a method that has proven to be less labor-intensive and more effective in coercing victims.

The group gains initial access through compromised Remote Desktop Protocol (RDP) credentials or exploiting known vulnerabilities. They plant custom backdoors, disable antivirus software, and install remote management tools to maintain persistence. These tactics enable them to steal data efficiently while evading detection by standard cybersecurity measures.

Penetration and Persistence Tactics

Upon infiltrating the target's network, BianLian uses a variety of techniques to ensure continued access and control. These include creating or activating administrator accounts, disabling security software, and modifying system registries. By using tools like PowerShell and Rclone, the group can move laterally within the network and siphon significant amounts of data without triggering standard security alerts.

Implications and Recommendations

The attack on National Publisher Services LLC underscores the growing threat posed by ransomware groups that focus on data theft. Organizations are advised to adopt enhanced cybersecurity measures, including stringent access controls, regular audits of remote access tools, and comprehensive endpoint detection and response solutions. These steps can help mitigate the risks associated with sophisticated cyber threat actors like BianLian.

Sources

• BianLian Ransomware Gang Shifts to Purely Data Extortion Attacks, Warns Joint Advisory - CPO Magazine
• BianLian ransomware gang shifts focus to pure data extortion - BleepingComputer
• BianLian Ransomware Group Threat Assessment - Unit 42, Palo Alto Networks
• Evolving BianLian ransomware attack strategies detailed - SC Media