Sable International Hit by BianLian Ransomware, 200GB Data Stolen

Incident Date:

July 31, 2024

World map

Overview

Title

Sable International Hit by BianLian Ransomware, 200GB Data Stolen

Victim

Sable International

Attacker

Bianlian

Location

Cape Town, South Africa

, South Africa

First Reported

July 31, 2024

Sable International Ransomware Attack by BianLian

Sable International, a global provider of financial and immigration services, has been targeted by the notorious ransomware group BianLian. The attack, discovered on August 1, led to the unauthorized extraction of 200GB of sensitive data. This incident has raised significant concerns about the security measures in place at Sable International and the evolving tactics of ransomware groups.

About Sable International

Sable International is a multifaceted company specializing in cross-border financial and immigration services. Founded by Reg Bamford, the company rebranded from 1st Contact to Sable International in 2016 to better reflect its global service offerings. With a presence in the UK, South Africa, and Australia, Sable International caters to both individuals and businesses, providing services such as immigration consultancy, wealth management, and educational consultancy. The company employs over 200 staff members and reported a revenue of approximately £20 million for the fiscal year ending September 30, 2023.

Attack Overview

The ransomware attack orchestrated by BianLian led to the extraction of 200GB of sensitive data. Sable International promptly reported the incident to authorities in South Africa and the UK. Preliminary investigations suggest that a limited number of clients have had their personal information compromised, and those affected have been directly notified. The attackers have begun contacting clients directly via email, likely to pressure Sable International into paying a ransom. The company has advised its clients to avoid interacting with these emails and to report any suspicious communications immediately.

About BianLian

BianLian is a sophisticated ransomware group that has evolved from targeting individual users to launching high-profile attacks on businesses and organizations globally. Initially functioning as a banking trojan, BianLian transitioned into advanced ransomware operations, emphasizing extortion-based strategies. The group gained initial access through compromised Remote Desktop Protocol (RDP) credentials and employed various tools for discovery, lateral movement, and data exfiltration. BianLian's shift towards exfiltration-based extortion and its global reach underscore the evolving threat landscape posed by ransomware groups.

Penetration and Vulnerabilities

BianLian likely penetrated Sable International's systems through compromised RDP credentials, a common entry point for ransomware attacks. The group's use of custom backdoors, PowerShell, and Windows Command Shell for defense evasion highlights the need for robust cybersecurity measures. Sable International's extensive handling of sensitive client data made it an attractive target for BianLian, emphasizing the importance of continuous monitoring and advanced threat detection capabilities.

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.