Ransomware Group

BianLian

BianLian is a ransomware group known for targeting critical infrastructure sectors through sophisticated data exfiltration and extortion techniques, initially employing a double-extortion model before shifting to pure data extortion.

Is Your Organization Safe from BianLian's Attacks?

The origin of BianLian

BianLian is a ransomware developer, deployer, and data extortion cybercriminal group that has been active since June 2022. Initially, they employed a double-extortion model, encrypting victims’ systems and exfiltrating data. However, around January 2023, they shifted to primarily exfiltration-based extortion, where they steal data and threaten to release it unless a ransom is paid. The group has targeted organizations in multiple U.S. critical infrastructure sectors and private enterprises in Australia.

Targets

BianLian's targets

Countries targeted by BianLian

The majority of BianLian's attacks are concentrated in the United States, which accounts for 57.8% of the attacks. Other significant targets include the United Kingdom (10.2%), Canada (6.8%), and India (4.8%). Additionally, countries like Australia, Sweden, Germany, and Austria have also been affected, albeit to a lesser extent. This distribution underscores the group's focus on developed nations with robust digital infrastructures and significant amounts of valuable data.

Source: SOCRadar

Industries targeted by BianLian

BianLian has shown a marked preference for certain industries, with the healthcare sector experiencing the highest number of attacks, followed by manufacturing, professional and legal services, high technology, and construction. Other notable targets include transportation and logistics, wholesale and retail, financial services, and education. This pattern highlights BianLian's focus on sectors that handle sensitive and critical data, making them prime targets for extortion and disruption.

Source: Palo Alto's Unit 42

Industries targeted by BianLian

BianLian has shown a marked preference for certain industries, with the healthcare sector experiencing the highest number of attacks, followed by manufacturing, professional and legal services, high technology, and construction. Other notable targets include transportation and logistics, wholesale and retail, financial services, and education. This pattern highlights BianLian's focus on sectors that handle sensitive and critical data, making them prime targets for extortion and disruption.

Source: Palo Alto's Unit 42

BianLian's victims

BianLian targeted more than 425 victims including medium to large enterprises in the financial, healthcare, and property development sectors. The group's methodology of leveraging compromised RDP credentials and exfiltrating sensitive data has led to significant financial and reputational damage for the affected organizations.

Source: Ransomware.live

Demo

See How Vectra AI Detects a Ransomware Attack

TTPs & Tools

BianLian's attack method

A shadowy figure casting a wide net over a digital landscape filled with various devices such as computers, smartphones, and tablets. The net symbolizes the attacker's attempts to find vulnerabilities or use phishing techniques to gain unauthorized access.

BianLian gains initial access through compromised Remote Desktop Protocol (RDP) credentials, often obtained from initial access brokers or via phishing campaigns. They also exploit vulnerabilities in remote access services.

A digital ladder extending upwards from a basic user icon towards a crown symbolizing administrative privileges. This represents the attacker's efforts to gain higher-level access within the system.

The group activates local administrator accounts and changes passwords to elevate privileges, enabling further exploitation of the network.

A chameleon blending into a digital background, with zeroes and ones flowing around it. This represents the attacker's ability to avoid detection by security measures, changing tactics to blend in with normal network traffic.

They disable antivirus tools and tamper protection features using PowerShell and Windows Command Shell, modifying the registry to avoid detection.

A thief with a lockpick toolkit working on a giant keyhole shaped like a login form, representing the attacker's efforts to steal user credentials to gain unauthorized access.

BianLian harvests credentials from the Local Security Authority Subsystem Service (LSASS) memory and searches for unsecured credentials on the local machine using various command-line tools.

A magnifying glass moving over a digital map of a network, highlighting files, folders, and network connections. This image represents the phase where attackers explore the environment to understand the structure and where valuable data resides.

Utilizing tools like Advanced Port Scanner, SoftPerfect Network Scanner, and PingCastle, BianLian conducts thorough network and active directory reconnaissance to identify valuable targets.

A series of interconnected nodes with a shadowy figure moving stealthily between them. This illustrates the attacker's movements within the network, seeking to gain control of additional systems or spread malware.

The group uses tools like PsExec and RDP with valid credentials to move laterally within the network, exploiting vulnerabilities such as the Netlogon vulnerability (CVE-2020-1472).

A large vacuum sucking up files, data icons, and folders into a bag held by a shadowy figure. This image symbolizes the process of gathering valuable data from the target network.

BianLian uses malware to enumerate registry and files, copying clipboard data to gather sensitive information for extortion.

A command prompt window open in front of a digital background, with malicious code being typed out. This represents the phase where attackers execute their malicious payload within the compromised system.

They deploy custom backdoors and use legitimate remote access software (e.g., TeamViewer, Atera Agent) to maintain persistence and control over the compromised systems.

A series of files being funneled through a covert channel out of a computer to a cloud labeled with a skull, symbolizing the unauthorized transfer of data to a location controlled by the attacker.

Data is exfiltrated using File Transfer Protocol (FTP), Rclone, or Mega, with sensitive files being uploaded to cloud storage services for further leverage in extortion attempts.

A cracked screen with a digital cityscape in chaos behind it, symbolizing the destructive impact of the cyberattack, such as service disruption, data destruction, or financial loss.

The group shifts to data extortion by threatening to release exfiltrated data unless a ransom is paid. They have used tactics such as printing ransom notes on network printers and making threatening calls to victims.

A shadowy figure casting a wide net over a digital landscape filled with various devices such as computers, smartphones, and tablets. The net symbolizes the attacker's attempts to find vulnerabilities or use phishing techniques to gain unauthorized access.
Initial Access

BianLian gains initial access through compromised Remote Desktop Protocol (RDP) credentials, often obtained from initial access brokers or via phishing campaigns. They also exploit vulnerabilities in remote access services.

A digital ladder extending upwards from a basic user icon towards a crown symbolizing administrative privileges. This represents the attacker's efforts to gain higher-level access within the system.
Privilege Escalation

The group activates local administrator accounts and changes passwords to elevate privileges, enabling further exploitation of the network.

A chameleon blending into a digital background, with zeroes and ones flowing around it. This represents the attacker's ability to avoid detection by security measures, changing tactics to blend in with normal network traffic.
Defense Evasion

They disable antivirus tools and tamper protection features using PowerShell and Windows Command Shell, modifying the registry to avoid detection.

A thief with a lockpick toolkit working on a giant keyhole shaped like a login form, representing the attacker's efforts to steal user credentials to gain unauthorized access.
Credential Access

BianLian harvests credentials from the Local Security Authority Subsystem Service (LSASS) memory and searches for unsecured credentials on the local machine using various command-line tools.

A magnifying glass moving over a digital map of a network, highlighting files, folders, and network connections. This image represents the phase where attackers explore the environment to understand the structure and where valuable data resides.
Discovery

Utilizing tools like Advanced Port Scanner, SoftPerfect Network Scanner, and PingCastle, BianLian conducts thorough network and active directory reconnaissance to identify valuable targets.

A series of interconnected nodes with a shadowy figure moving stealthily between them. This illustrates the attacker's movements within the network, seeking to gain control of additional systems or spread malware.
Lateral Movement

The group uses tools like PsExec and RDP with valid credentials to move laterally within the network, exploiting vulnerabilities such as the Netlogon vulnerability (CVE-2020-1472).

A large vacuum sucking up files, data icons, and folders into a bag held by a shadowy figure. This image symbolizes the process of gathering valuable data from the target network.
Collection

BianLian uses malware to enumerate registry and files, copying clipboard data to gather sensitive information for extortion.

A command prompt window open in front of a digital background, with malicious code being typed out. This represents the phase where attackers execute their malicious payload within the compromised system.
Execution

They deploy custom backdoors and use legitimate remote access software (e.g., TeamViewer, Atera Agent) to maintain persistence and control over the compromised systems.

A series of files being funneled through a covert channel out of a computer to a cloud labeled with a skull, symbolizing the unauthorized transfer of data to a location controlled by the attacker.
Exfiltration

Data is exfiltrated using File Transfer Protocol (FTP), Rclone, or Mega, with sensitive files being uploaded to cloud storage services for further leverage in extortion attempts.

A cracked screen with a digital cityscape in chaos behind it, symbolizing the destructive impact of the cyberattack, such as service disruption, data destruction, or financial loss.
Impact

The group shifts to data extortion by threatening to release exfiltrated data unless a ransom is paid. They have used tactics such as printing ransom notes on network printers and making threatening calls to victims.

MITRE ATT&CK Mapping

TTPs used by BianLian

BianLian employs various TTPs aligned with the MITRE ATT&CK framework. Some of the key TTPs include:

TA0001: Initial Access
T1566
Phishing
T1133
External Remote Services
T1078
Valid Accounts
TA0002: Execution
T1059
Command and Scripting Interpreter
TA0003: Persistence
T1136
Create Account
T1098
Account Manipulation
T1078
Valid Accounts
T1053
Scheduled Task/Job
TA0004: Privilege Escalation
T1078
Valid Accounts
T1053
Scheduled Task/Job
TA0005: Defense Evasion
T1112
Modify Registry
T1562
Impair Defenses
T1078
Valid Accounts
TA0006: Credential Access
T1552
Unsecured Credentials
T1003
OS Credential Dumping
TA0007: Discovery
T1482
Domain Trust Discovery
T1135
Network Share Discovery
T1087
Account Discovery
T1083
File and Directory Discovery
T1069
Permission Groups Discovery
T1046
Network Service Discovery
T1033
System Owner/User Discovery
T1018
Remote System Discovery
TA0008: Lateral Movement
T1021
Remote Services
TA0009: Collection
T1115
Clipboard Data
TA0011: Command and Control
T1219
Remote Access Software
T1105
Ingress Tool Transfer
TA0010: Exfiltration
T1567
Exfiltration Over Web Service
T1537
Transfer Data to Cloud Account
T1048
Exfiltration Over Alternative Protocol
TA0040: Impact
T1486
Data Encrypted for Impact
Platform Detections

How to Detect BianLian with Vectra AI

List of the Detections available in the Vectra AI Platform that would indicate a ransomware attack:

FAQs

What is BianLian's primary method of gaining initial access?

BianLian primarily gains initial access through compromised RDP credentials, often obtained via phishing or from initial access brokers.

How does BianLian evade detection?

They disable antivirus tools and tamper protection features using PowerShell and modify the Windows Registry to avoid detection.

What are BianLian's main targets?

BianLian targets critical infrastructure sectors in the U.S. and private enterprises in Australia, including sectors like healthcare, financial services, and property development.

How does BianLian exfiltrate data?

BianLian exfiltrates data using FTP, Rclone, or Mega, uploading sensitive files to cloud storage services.

What changes did BianLian make to their extortion tactics in 2023?

In 2023, BianLian shifted from encrypting victims' systems to focusing on exfiltration-based extortion, threatening to release stolen data unless paid.

Which tools does BianLian use for network discovery?

They use tools like Advanced Port Scanner, SoftPerfect Network Scanner, and PingCastle to identify valuable targets within a network.

How does BianLian escalate privileges within a network?

BianLian activates local administrator accounts and changes passwords to elevate privileges, facilitating further exploitation.

What methods does BianLian use for lateral movement?

BianLian uses PsExec and RDP with valid credentials for lateral movement across the network.

How can organizations protect against BianLian's tactics?

Implement strict controls on remote access tools, disable unnecessary services, enforce strong password policies, and ensure regular software updates and patches.

What role can XDR solutions play in defending against BianLian?

XDR solutions can help by providing comprehensive visibility and automated response capabilities, detecting and mitigating suspicious activities across endpoints, networks, and cloud environments.