BianLian

BianLian is a ransomware group known for targeting critical infrastructure sectors through sophisticated data exfiltration and extortion techniques, initially employing a double-extortion model before shifting to pure data extortion.

Is Your Organization Safe from BianLian's Attacks?

The origin of BianLian

BianLian is a ransomware and data extortion group likely operating out of Russia, with multiple affiliates based in the same region. The group has been active since June 2022 and initially used a double-extortion model, combining data theft with file encryption. However, as of January 2024, BianLian has fully shifted to an exfiltration-only extortion model. They now focus exclusively on stealing data and demanding payment to prevent public disclosure, no longer encrypting victims' systems. Their name, likely chosen to misattribute location, reflects their attempt to complicate attribution efforts.

Targets

BianLian's targets

Countries targeted by BianLian

The majority of BianLian's attacks are concentrated in the United States, which accounts for 57.8% of the attacks. Other significant targets include the United Kingdom (10.2%), Canada (6.8%), and India (4.8%). Additionally, countries like Australia, Sweden, Germany, and Austria have also been affected, albeit to a lesser extent. This distribution underscores the group's focus on developed nations with robust digital infrastructures and significant amounts of valuable data.

Source: Ransomware.live

Industries targeted by BianLian

BianLian has shown a marked preference for certain industries, with the healthcare sector experiencing the highest number of attacks, followed by manufacturing, professional and legal services, high technology, and construction. Other notable targets include transportation and logistics, wholesale and retail, financial services, and education. This pattern highlights BianLian's focus on sectors that handle sensitive and critical data, making them prime targets for extortion and disruption.

Source: Palo Alto's Unit 42

Industries targeted by BianLian

BianLian has shown a marked preference for certain industries, with the healthcare sector experiencing the highest number of attacks, followed by manufacturing, professional and legal services, high technology, and construction. Other notable targets include transportation and logistics, wholesale and retail, financial services, and education. This pattern highlights BianLian's focus on sectors that handle sensitive and critical data, making them prime targets for extortion and disruption.

Source: Palo Alto's Unit 42

BianLian's victims

BianLian targeted more than 508 victims including medium to large enterprises in the financial, healthcare, and property development sectors. The group's methodology of leveraging compromised RDP credentials and exfiltrating sensitive data has led to significant financial and reputational damage for the affected organizations.

Source: Ransomware.live

Attack Method

BianLian's attack method

A shadowy figure casting a wide net over a digital landscape filled with various devices such as computers, smartphones, and tablets. The net symbolizes the attacker's attempts to find vulnerabilities or use phishing techniques to gain unauthorized access.

BianLian gains access to networks through compromised Remote Desktop Protocol (RDP) credentials, obtained via phishing or from initial access brokers. They also exploit vulnerabilities in public-facing applications such as ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).

A digital ladder extending upwards from a basic user icon towards a crown symbolizing administrative privileges. This represents the attacker's efforts to gain higher-level access within the system.

They exploit vulnerabilities like CVE-2022-37969 to escalate privileges on Windows systems.

A chameleon blending into a digital background, with zeroes and ones flowing around it. This represents the attacker's ability to avoid detection by security measures, changing tactics to blend in with normal network traffic.

The group disables antivirus tools, including Windows Defender and Sophos tamper protection, using PowerShell and registry modifications. They also employ UPX packing to obfuscate their malware.

A thief with a lockpick toolkit working on a giant keyhole shaped like a login form, representing the attacker's efforts to steal user credentials to gain unauthorized access.

BianLian actors steal credentials by dumping Local Security Authority Subsystem Service (LSASS) memory and searching for plaintext credentials stored in files.

A magnifying glass moving over a digital map of a network, highlighting files, folders, and network connections. This image represents the phase where attackers explore the environment to understand the structure and where valuable data resides.

Using tools like Advanced Port Scanner and SharpShares, they enumerate network services, shared folders, and domain accounts to map the target’s environment.

A series of interconnected nodes with a shadowy figure moving stealthily between them. This illustrates the attacker's movements within the network, seeking to gain control of additional systems or spread malware.

They use RDP, PsExec, and Server Message Block (SMB) connections for lateral movement within networks.

A large vacuum sucking up files, data icons, and folders into a bag held by a shadowy figure. This image symbolizes the process of gathering valuable data from the target network.

Sensitive data is identified, compressed, and encrypted before being staged for exfiltration.

A command prompt window open in front of a digital background, with malicious code being typed out. This represents the phase where attackers execute their malicious payload within the compromised system.
A series of files being funneled through a covert channel out of a computer to a cloud labeled with a skull, symbolizing the unauthorized transfer of data to a location controlled by the attacker.

Data is stolen using FTP, Rclone, or Mega. Unlike in their earlier operations, they no longer encrypt endpoint data.

A cracked screen with a digital cityscape in chaos behind it, symbolizing the destructive impact of the cyberattack, such as service disruption, data destruction, or financial loss.

BianLian’s operations culminate in extortion, where they threaten to publicly leak stolen data, leveraging the victim’s fear of reputational, financial, and legal consequences to demand ransom payments.

A shadowy figure casting a wide net over a digital landscape filled with various devices such as computers, smartphones, and tablets. The net symbolizes the attacker's attempts to find vulnerabilities or use phishing techniques to gain unauthorized access.
Initial Access

BianLian gains access to networks through compromised Remote Desktop Protocol (RDP) credentials, obtained via phishing or from initial access brokers. They also exploit vulnerabilities in public-facing applications such as ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).

A digital ladder extending upwards from a basic user icon towards a crown symbolizing administrative privileges. This represents the attacker's efforts to gain higher-level access within the system.
Privilege Escalation

They exploit vulnerabilities like CVE-2022-37969 to escalate privileges on Windows systems.

A chameleon blending into a digital background, with zeroes and ones flowing around it. This represents the attacker's ability to avoid detection by security measures, changing tactics to blend in with normal network traffic.
Defense Evasion

The group disables antivirus tools, including Windows Defender and Sophos tamper protection, using PowerShell and registry modifications. They also employ UPX packing to obfuscate their malware.

A thief with a lockpick toolkit working on a giant keyhole shaped like a login form, representing the attacker's efforts to steal user credentials to gain unauthorized access.
Credential Access

BianLian actors steal credentials by dumping Local Security Authority Subsystem Service (LSASS) memory and searching for plaintext credentials stored in files.

A magnifying glass moving over a digital map of a network, highlighting files, folders, and network connections. This image represents the phase where attackers explore the environment to understand the structure and where valuable data resides.
Discovery

Using tools like Advanced Port Scanner and SharpShares, they enumerate network services, shared folders, and domain accounts to map the target’s environment.

A series of interconnected nodes with a shadowy figure moving stealthily between them. This illustrates the attacker's movements within the network, seeking to gain control of additional systems or spread malware.
Lateral Movement

They use RDP, PsExec, and Server Message Block (SMB) connections for lateral movement within networks.

A large vacuum sucking up files, data icons, and folders into a bag held by a shadowy figure. This image symbolizes the process of gathering valuable data from the target network.
Collection

Sensitive data is identified, compressed, and encrypted before being staged for exfiltration.

A command prompt window open in front of a digital background, with malicious code being typed out. This represents the phase where attackers execute their malicious payload within the compromised system.
Execution
A series of files being funneled through a covert channel out of a computer to a cloud labeled with a skull, symbolizing the unauthorized transfer of data to a location controlled by the attacker.
Exfiltration

Data is stolen using FTP, Rclone, or Mega. Unlike in their earlier operations, they no longer encrypt endpoint data.

A cracked screen with a digital cityscape in chaos behind it, symbolizing the destructive impact of the cyberattack, such as service disruption, data destruction, or financial loss.
Impact

BianLian’s operations culminate in extortion, where they threaten to publicly leak stolen data, leveraging the victim’s fear of reputational, financial, and legal consequences to demand ransom payments.

MITRE ATT&CK Mapping

TTPs used by BianLian

BianLian employs various TTPs aligned with the MITRE ATT&CK framework. Some of the key TTPs include:

TA0001: Initial Access
T1566
Phishing
T1190
Exploit Public-Facing Application
T1133
External Remote Services
T1078
Valid Accounts
TA0002: Execution
T1059
Command and Scripting Interpreter
TA0003: Persistence
T1505
Server Software Component
T1136
Create Account
T1098
Account Manipulation
T1078
Valid Accounts
T1053
Scheduled Task/Job
TA0004: Privilege Escalation
T1068
Exploitation for Privilege Escalation
T1078
Valid Accounts
T1053
Scheduled Task/Job
TA0005: Defense Evasion
T1112
Modify Registry
T1036
Masquerading
T1027
Obfuscated Files or Information
T1562
Impair Defenses
T1078
Valid Accounts
TA0006: Credential Access
T1552
Unsecured Credentials
T1003
OS Credential Dumping
TA0007: Discovery
T1518
Software Discovery
T1482
Domain Trust Discovery
T1135
Network Share Discovery
T1087
Account Discovery
T1083
File and Directory Discovery
T1082
System Information Discovery
T1069
Permission Groups Discovery
T1057
Process Discovery
T1046
Network Service Discovery
T1033
System Owner/User Discovery
T1018
Remote System Discovery
TA0008: Lateral Movement
T1021
Remote Services
TA0009: Collection
T1560
Archive Collected Data
T1115
Clipboard Data
TA0011: Command and Control
T1219
Remote Access Software
T1105
Ingress Tool Transfer
T1090
Proxy
TA0010: Exfiltration
T1567
Exfiltration Over Web Service
T1537
Transfer Data to Cloud Account
T1048
Exfiltration Over Alternative Protocol
TA0040: Impact
T1486
Data Encrypted for Impact
Platform Detections

How to Detect BianLian with Vectra AI

List of the Detections available in the Vectra AI Platform that would indicate a ransomware attack:

FAQs

What is BianLian's primary method of gaining initial access?

BianLian primarily gains initial access through compromised RDP credentials, often obtained via phishing or from initial access brokers.

How does BianLian evade detection?

They disable antivirus tools and tamper protection features using PowerShell and modify the Windows Registry to avoid detection.

What are BianLian's main targets?

BianLian targets critical infrastructure sectors in the U.S. and private enterprises in Australia, including sectors like healthcare, financial services, and property development.

How does BianLian exfiltrate data?

BianLian exfiltrates data using FTP, Rclone, or Mega, uploading sensitive files to cloud storage services.

What changes did BianLian make to their extortion tactics in 2023?

In 2023, BianLian shifted from encrypting victims' systems to focusing on exfiltration-based extortion, threatening to release stolen data unless paid.

Which tools does BianLian use for network discovery?

They use tools like Advanced Port Scanner, SoftPerfect Network Scanner, and PingCastle to identify valuable targets within a network.

How does BianLian escalate privileges within a network?

BianLian activates local administrator accounts and changes passwords to elevate privileges, facilitating further exploitation.

What methods does BianLian use for lateral movement?

BianLian uses PsExec and RDP with valid credentials for lateral movement across the network.

How can organizations protect against BianLian's tactics?

Implement strict controls on remote access tools, disable unnecessary services, enforce strong password policies, and ensure regular software updates and patches.

What role can XDR solutions play in defending against BianLian?

XDR solutions can help by providing comprehensive visibility and automated response capabilities, detecting and mitigating suspicious activities across endpoints, networks, and cloud environments.