In an advisory, the US Cybersecurity and Infrastructure Security Agency (CISA) alongside the FBI and the Australian Cyber Security Centre (ACSC) are warning organizations of attacks made by a ransomware developer, deployer, and data extortion group known as BianLian that has been active since 2022.
In the past, the ransomware gang has focused on using a double-extortion model to encrypt victims’ systems, though in January 2023, BianLian has shifted in attack methods. The group uses remote desktop protocol (RDP) credentials, as well as open source tools and command-line scripting, to access victims’ networks and exfiltrates their data through File Transfer Protocol (FTP), Rclone, or Mega. After this is completed, the group goes on to extort their victims, threatening to release the acquired data if the payment is not received.
Cybersecurity service provider [redacted] released research on the group in March detailing their high-level operational security and skill penetration and their continued growth while operating as a ransomware organization. It’s these tactics, techniques, and procedures (TTPs) that have allowed the gang to target critical infrastructure organizations in the US and Australia as well as professional services and property development organizations.
“More often than not, extortion via data leak is the modus operandi of choice. The shift is due to the successful collaboration between law enforcement and the cyber community to not only decrypt the ransomware but to disrupt the infrastructure that sustains it,” Tom Kellerman, senior vice president of cyber strategy at Contrast Security, said in a statement in response to the advisory.
CISA urges organizations to implement the mitigations they’ve provided in their advisory, such as auditing remote access tools, reviewing logs for execution of remote access software, and enabling enhanced PowerShell logging in light of these attacks.