BianLian Ransomware Strikes Transit Insurance Firm

Incident Date:

July 4, 2024

World map

Overview

Title

BianLian Ransomware Strikes Transit Insurance Firm

Victim

Transit Mutual Insurance Corporation

Attacker

Bianlian

Location

Appleton, USA

Wisconsin, USA

First Reported

July 4, 2024

Analysis of the BianLian Ransomware Attack on Transit Mutual Insurance Corporation

Company Profile: Transit Mutual Insurance Corporation

Transit Mutual Insurance Corporation of Wisconsin (TMi), founded in 1981, is a specialized provider of insurance services to public transit agencies and municipalities across the United States. Operating from Appleton, Wisconsin, TMi is a relatively small entity with a workforce of 2-10 employees. Despite its size, TMi has carved out a niche in the insurance sector by offering tailored insurance solutions including liability, property, and workers' compensation coverage. This focus on the public transit sector, coupled with a strong reputation for service and expertise, distinguishes TMi within the insurance industry.

Details of the Ransomware Attack

The recent cyberattack on Transit Mutual Insurance Corporation by the BianLian ransomware group resulted in the unauthorized access and exfiltration of approximately 400 GB of sensitive data. The compromised data includes vital business information, accounting records, project files, and personal data from network users’ folders and file servers. This breach not only threatens the privacy and security of the data but also poses significant operational and reputational risks for TMi.

Profile of the Ransomware Group: BianLian

BianLian, originally known as a banking trojan, has evolved into a sophisticated ransomware group targeting a wide range of sectors globally. The group is known for its advanced tactics including the use of compromised RDP credentials, custom backdoors, and extensive use of PowerShell and Windows Command Shell for defense evasion. BianLian's operations have shifted focus from double extortion to primarily exfiltration-based extortion, threatening significant financial and legal consequences for non-compliance.

Vulnerabilities and Attack Vectors

The specific vulnerabilities that allowed BianLian to penetrate TMi's defenses are not publicly detailed. However, based on BianLian’s known methodologies, it is plausible that compromised RDP credentials or phishing attacks could have been the initial access points. TMi’s smaller size and potentially limited cybersecurity resources might have also made them a more attractive target for this type of sophisticated cyberattack.

Sources

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.