web analytics

CISA: BianLian Ransomware Focus Switches to Data Theft – Source: heimdalsecurity.com

Rate this post

Source: heimdalsecurity.com – Author: Cristian Neagu

Last updated on November 22, 2024

article featured image

The FBI, the Australian Cyber Security Centre, and the U.S. Cybersecurity & Infrastructure Security Agency have issued a new advisory stating that the BianLian ransomware operation has changed its strategy and is now predominantly a data theft extortion gang.

The same agencies issued a joint advisory in May that warned about BianLian’s shifting tactics, which included using commercial remote access tools, custom Go-based backdoors, stolen Remote Desktop Protocol (RDP) credentials, and targeted Windows Registry modifications. This new information comes as an update to that advisory.

After Avast published a decryptor for the family in January 2023, BianLian had begun to gradually abandon file encryption techniques in favor of data theft extortion.

BianLian group originally employed a double-extortion model in which they encrypted victims’ systems after exfiltrating the data; however, they shifted primarily to exfiltration-based extortion around January 2023 and shifted to exclusively exfiltration-based extortion around January 2024.

CISA

Details From the Advisory: The New Techniques of BianLian

The advisory also highlights that the group now attempts to obscure their origin by using foreign-language names, but the intelligence agencies are confident that the primary operators and multiple affiliates are based in Russia.

The advisory gives us information on the ransomware gang’s new techniques, tactics, and procedures:

  • Targets Windows and ESXi infrastructure, possibly the ProxyShell exploit chain (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) for initial access.
  • Uses Ngrok and modified Rsocks to mask traffic destinations using SOCK5 tunnels.
  • Exploits CVE-2022-37969 to escalate privileges on Windows 10 and 11.
  • Uses UPX packing to bypass detection.
  • Renames binaries and tasks after legitimate Windows services and security products for evasion.
  • Creates Domain Admin and Azure AD Accounts, performs network login connections via SMB, and installs webshells on Exchange servers.
  • Users PowerShell scripts to compress collected data before exfiltration.
  • Includes new Tox ID for victim communication in ransom note.
  • Prints ransom notes on printers connected to the compromised network and calls employees of the victim companies to apply pressure.

The group has been active since 2022 and 2024 was a prolific year for them, listing 154 on its extortion portal on the dark web. Some of its most notable breaches includes the one against Air Canada.

CISA recommends strictly limiting the use of RDP, disabling command-line and scripting permissions, and restricting the use of PowerShell on Windows systems.

If you liked this piece, you can find more on the blog. Follow us on LinkedInTwitterFacebook, and YouTube for more cybersecurity news and topics.

Newsletter

If you liked this post, you will enjoy our newsletter.

Get cybersecurity updates you’ll actually want to read directly in your inbox.

Author Profile

linkedin icon

Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE

Original Post URL: https://heimdalsecurity.com/blog/bianlian-ransomware-data-theft/

Category & Tags: Cybersecurity News – Cybersecurity News

Views: 1

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post