BianLian Ransomware Attack on National Publisher Services LLC
Incident Date:
May 26, 2024
Overview
Title
BianLian Ransomware Attack on National Publisher Services LLC
Victim
National Publisher Services LLC
Attacker
Bianlian
Location
First Reported
May 26, 2024
BianLian Ransomware Attack on National Publisher Services LLC
Company Profile and Industry Standout
National Publisher Services LLC (NPS Media Group) is a publishing company based in the United States. Known for its focus on magazine subscriptions and other publishing activities, NPS provides print and digital solutions to media companies. Despite its small size, with only 2-10 employees, NPS has made a significant mark in the publishing industry. The company reported revenue of $7.8 million, highlighting its substantial role within its niche market.
Vulnerabilities and Targeted Attack
The company's prominence and specific sector focus made it an attractive target for ransomware groups like BianLian. The publishing industry's reliance on digital infrastructure for managing subscriptions and publishing activities presents various vulnerabilities, particularly when robust cybersecurity measures are not in place.
Attack Overview
In a recent cyber attack, BianLian claimed responsibility for compromising National Publisher Services LLC. The attackers extracted 75 GB of sensitive data, including financial records, HR information, client and customer data, trade secrets, personally identifiable information (PII), and extensive internal and external email correspondence. The group's modus operandi involves data-theft-based extortion, where they threaten to release the stolen data publicly unless a ransom is paid.
Details of the Ransomware Group
BianLian has evolved from a traditional ransomware group into a sophisticated data extortion operation. Initially known for encrypting victims' files and demanding ransom for decryption, BianLian has shifted focus towards purely data theft. This tactic involves stealing data and threatening to leak it unless the ransom is paid, a method that has proven to be less labor-intensive and more effective in coercing victims.
The group gains initial access through compromised Remote Desktop Protocol (RDP) credentials or exploiting known vulnerabilities. They plant custom backdoors, disable antivirus software, and install remote management tools to maintain persistence. These tactics enable them to steal data efficiently while evading detection by standard cybersecurity measures.
Penetration and Persistence Tactics
Upon infiltrating the target's network, BianLian uses a variety of techniques to ensure continued access and control. These include creating or activating administrator accounts, disabling security software, and modifying system registries. By using tools like PowerShell and Rclone, the group can move laterally within the network and siphon significant amounts of data without triggering standard security alerts.
Implications and Recommendations
The attack on National Publisher Services LLC underscores the growing threat posed by ransomware groups that focus on data theft. Organizations are advised to adopt enhanced cybersecurity measures, including stringent access controls, regular audits of remote access tools, and comprehensive endpoint detection and response solutions. These steps can help mitigate the risks associated with sophisticated cyber threat actors like BianLian.
Sources
- BianLian Ransomware Gang Shifts to Purely Data Extortion Attacks, Warns Joint Advisory - CPO Magazine
- BianLian ransomware gang shifts focus to pure data extortion - BleepingComputer
- BianLian Ransomware Group Threat Assessment - Unit 42, Palo Alto Networks
- Evolving BianLian ransomware attack strategies detailed - SC Media
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.