BianLian
BianLian is a ransomware group known for targeting critical infrastructure sectors through sophisticated data exfiltration and extortion techniques, initially employing a double-extortion model before shifting to pure data extortion.
The origin of BianLian
BianLian is a ransomware and data extortion group likely operating out of Russia, with multiple affiliates based in the same region. The group has been active since June 2022 and initially used a double-extortion model, combining data theft with file encryption. However, as of January 2024, BianLian has fully shifted to an exfiltration-only extortion model. They now focus exclusively on stealing data and demanding payment to prevent public disclosure, no longer encrypting victims' systems. Their name, likely chosen to misattribute location, reflects their attempt to complicate attribution efforts.
Countries targeted by BianLian
The majority of BianLian's attacks are concentrated in the United States, which accounts for 57.8% of the attacks. Other significant targets include the United Kingdom (10.2%), Canada (6.8%), and India (4.8%). Additionally, countries like Australia, Sweden, Germany, and Austria have also been affected, albeit to a lesser extent. This distribution underscores the group's focus on developed nations with robust digital infrastructures and significant amounts of valuable data.
Industries targeted by BianLian
BianLian has shown a marked preference for certain industries, with the healthcare sector experiencing the highest number of attacks, followed by manufacturing, professional and legal services, high technology, and construction. Other notable targets include transportation and logistics, wholesale and retail, financial services, and education. This pattern highlights BianLian's focus on sectors that handle sensitive and critical data, making them prime targets for extortion and disruption.
Source: Palo Alto's Unit 42
BianLian's victims
BianLian targeted more than 522 victims including medium to large enterprises in the financial, healthcare, and property development sectors. The group's methodology of leveraging compromised RDP credentials and exfiltrating sensitive data has led to significant financial and reputational damage for the affected organizations.
BianLian's attack method
BianLian gains access to networks through compromised Remote Desktop Protocol (RDP) credentials, obtained via phishing or from initial access brokers. They also exploit vulnerabilities in public-facing applications such as ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).
They exploit vulnerabilities like CVE-2022-37969 to escalate privileges on Windows systems.
The group disables antivirus tools, including Windows Defender and Sophos tamper protection, using PowerShell and registry modifications. They also employ UPX packing to obfuscate their malware.
BianLian actors steal credentials by dumping Local Security Authority Subsystem Service (LSASS) memory and searching for plaintext credentials stored in files.
Using tools like Advanced Port Scanner and SharpShares, they enumerate network services, shared folders, and domain accounts to map the target’s environment.
They use RDP, PsExec, and Server Message Block (SMB) connections for lateral movement within networks.
Sensitive data is identified, compressed, and encrypted before being staged for exfiltration.
Data is stolen using FTP, Rclone, or Mega. Unlike in their earlier operations, they no longer encrypt endpoint data.
BianLian’s operations culminate in extortion, where they threaten to publicly leak stolen data, leveraging the victim’s fear of reputational, financial, and legal consequences to demand ransom payments.
BianLian gains access to networks through compromised Remote Desktop Protocol (RDP) credentials, obtained via phishing or from initial access brokers. They also exploit vulnerabilities in public-facing applications such as ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).
They exploit vulnerabilities like CVE-2022-37969 to escalate privileges on Windows systems.
The group disables antivirus tools, including Windows Defender and Sophos tamper protection, using PowerShell and registry modifications. They also employ UPX packing to obfuscate their malware.
BianLian actors steal credentials by dumping Local Security Authority Subsystem Service (LSASS) memory and searching for plaintext credentials stored in files.
Using tools like Advanced Port Scanner and SharpShares, they enumerate network services, shared folders, and domain accounts to map the target’s environment.
They use RDP, PsExec, and Server Message Block (SMB) connections for lateral movement within networks.
Sensitive data is identified, compressed, and encrypted before being staged for exfiltration.
Data is stolen using FTP, Rclone, or Mega. Unlike in their earlier operations, they no longer encrypt endpoint data.
BianLian’s operations culminate in extortion, where they threaten to publicly leak stolen data, leveraging the victim’s fear of reputational, financial, and legal consequences to demand ransom payments.
TTPs used by BianLian
How to Detect BianLian with Vectra AI
List of the Detections available in the Vectra AI Platform that would indicate a ransomware attack:
FAQs
What is BianLian's primary method of gaining initial access?
BianLian primarily gains initial access through compromised RDP credentials, often obtained via phishing or from initial access brokers.
How does BianLian evade detection?
They disable antivirus tools and tamper protection features using PowerShell and modify the Windows Registry to avoid detection.
What are BianLian's main targets?
BianLian targets critical infrastructure sectors in the U.S. and private enterprises in Australia, including sectors like healthcare, financial services, and property development.
How does BianLian exfiltrate data?
BianLian exfiltrates data using FTP, Rclone, or Mega, uploading sensitive files to cloud storage services.
What changes did BianLian make to their extortion tactics in 2023?
In 2023, BianLian shifted from encrypting victims' systems to focusing on exfiltration-based extortion, threatening to release stolen data unless paid.
Which tools does BianLian use for network discovery?
They use tools like Advanced Port Scanner, SoftPerfect Network Scanner, and PingCastle to identify valuable targets within a network.
How does BianLian escalate privileges within a network?
BianLian activates local administrator accounts and changes passwords to elevate privileges, facilitating further exploitation.
What methods does BianLian use for lateral movement?
BianLian uses PsExec and RDP with valid credentials for lateral movement across the network.
How can organizations protect against BianLian's tactics?
Implement strict controls on remote access tools, disable unnecessary services, enforce strong password policies, and ensure regular software updates and patches.
What role can XDR solutions play in defending against BianLian?
XDR solutions can help by providing comprehensive visibility and automated response capabilities, detecting and mitigating suspicious activities across endpoints, networks, and cloud environments.