FBI and CISA Issue Warning About BianLian Ransomware and Extortion Group
A joint cybersecurity alert has been issued by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Australian Cyber Security Centre (ACSC) about the BianLian ransomware and data extortion group.
The BianLian group has been conducting attacks in the United States since at least June 2022 and has actively targeted critical infrastructure organizations, including the healthcare and public health sector. The BianLian group is a ransomware actor that develops and uses ransomware in its attacks, typically engaging in double extortion tactics, where sensitive private data is exfiltrated from victims’ networks before files are encrypted. The group threatens to leak the stolen data if the ransom is not paid. This year, the group has largely switched to extortion-only attacks where files are not encrypted after exfiltration. These attacks have proven to be effective as the release of stolen data can cause significant damage to an organization’s reputation and legal complications.
The BianLian group primarily gains access to victims’ networks by using Remote Desktop Protocol (RDP) credentials, which may be obtained through brute force attacks to guess weak credentials, purchasing credentials from initial access brokers, or phishing attacks. Once credentials are obtained, the group deploys a custom backdoor specific to each victim, and commercially available remote access tools are downloaded such as TeamViewer, Atera Agent, SplashTop, and AnyDesk. The group uses command-line tools and scripts for network reconnaissance and harvesting more credentials. PowerShell and Windows Command Shell are used to disable antivirus software such as Windows Defender and Anti-Malware Scan Interface (AMSI), and the registry is modified to uninstall services such as Sophos SAVEnabled, SEDenabled, and SAVService services.
Tools typically downloaded onto victims’ networks include Advanced Port Scanner, SoftPerfect Network Scanner, SharpShares, and PingCastle to aid discovery, along with native Windows tools and Windows Command Shell, with PsExec and RDP with valid accounts used for lateral movement. Once sensitive data has been located, data exfiltration occurs via File Transfer Protocol (FTP), Rclone, or Mega. Once data exfiltration has occurred, threats are issued to publish the stolen data.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The best defense against attacks is to limit the use of RDP and other remote desktop services. Audits should be conducted of all remote access tools on the network to identify installed and currently used software. Any remote access tools that are not currently used should be removed or disabled, and RDP should be locked down. Security software should be used to detect instances of remote access software being loaded in the memory, and logs should be reviewed of remote access software to detect any abnormal use.
Authorized remote access solutions should only be used from within the network over approved remote access solutions, such as virtual private networks (VPNs) or virtual desktop interfaces (VDIs). Inbound and outbound connections on common remote access software ports and protocols should be blocked at the network perimeter. Organizations should also disable command-line services and scripting activities and restrict the use of PowerShell on critical systems, and enhanced PowerShell logging should be enabled. Regular audits of administrative accounts should be conducted, time-based access for accounts should be set at the admin level and higher, and the principle of least privilege should be applied.
The cybersecurity alert includes Indicators of Compromise (IOCs), details of the tactics, techniques, and procedures (TTPs) used by the group, and other recommended mitigations.
