BianLian Skips Encryption on Way to Extortion – Source: www.govinfosecurity.com

Fraud Management & Cybercrime
,
Ransomware

BianLian Is Not Double Trouble Anymore, Says US CISA

Prajeet Nair (@prajeetspeaks) •
May 17, 2023    

The BianLian ransomware group is abandoning malicious encryption in favor of pure extortion, warns the U.S. top cybersecurity agency.

See Also: OnDemand | Attack Surface Management 2.0: Leveraging Vulnerability Analytics & Threat Intelligence

Security researchers earlier this year spotted the group skipping over double extortion to engage in the straight extortion tactic of demanding a ransom for silence about stolen data.

Now the U.S. Cybersecurity and Infrastructure Security Agency says the same.

A major likely factor in BianLian’s shift was cybersecurity firm Avast’s January release of a free decryptor (see: Stung by Free Decryptor, Ransomware Group Embraces Extortion).

The group’s name refers to “bian lian,” an ancient Chinese dramatic art in which characters’ faces change in the blink of an eye. The group apparently adopted the moniker as a boast about the speed of its encryption.

CISA says the group gains initial access to networks through compromised remote desktop protocol credentials likely acquired from initial access brokers or through phishing.

Once inside a network, BianLian hackers implant a custom backdoor specific to each victim, CISA says, and install remote management tools such as TeamViewer.

The FBI also observed BianLian group actors activate local administrator accounts and change their credentials. The hackers use Windows utilities to disable antivirus tools such as Windows Defender and the anti-malware scan interface, a Microsoft standard for integrating antivirus programs into the Windows environment.

Hackers look for sensitive files using PowerShell scripts and exfiltrate them for extortion.

BianLian receives payments in unique cryptocurrency wallets for each victim company and engages in additional techniques to pressure the victim into paying the ransom.

The threat actors use printers in the victim network to churn out ransom notes and employees of victim companies have reported receiving threatening telephone calls.