BianLian
BianLian is a ransomware group known for targeting critical infrastructure sectors through sophisticated data exfiltration and extortion techniques, initially employing a double-extortion model before shifting to pure data extortion.
The origin of BianLian
BianLian is a ransomware developer, deployer, and data extortion cybercriminal group that has been active since June 2022. Initially, they employed a double-extortion model, encrypting victims’ systems and exfiltrating data. However, around January 2023, they shifted to primarily exfiltration-based extortion, where they steal data and threaten to release it unless a ransom is paid. The group has targeted organizations in multiple U.S. critical infrastructure sectors and private enterprises in Australia.
Targets
BianLian's targets
Countries targeted by BianLian
The majority of BianLian's attacks are concentrated in the United States, which accounts for 57.8% of the attacks. Other significant targets include the United Kingdom (10.2%), Canada (6.8%), and India (4.8%). Additionally, countries like Australia, Sweden, Germany, and Austria have also been affected, albeit to a lesser extent. This distribution underscores the group's focus on developed nations with robust digital infrastructures and significant amounts of valuable data.
Source: SOCRadar
Industries targeted by BianLian
BianLian has shown a marked preference for certain industries, with the healthcare sector experiencing the highest number of attacks, followed by manufacturing, professional and legal services, high technology, and construction. Other notable targets include transportation and logistics, wholesale and retail, financial services, and education. This pattern highlights BianLian's focus on sectors that handle sensitive and critical data, making them prime targets for extortion and disruption.
Source: Palo Alto's Unit 42
Industries targeted by BianLian
BianLian has shown a marked preference for certain industries, with the healthcare sector experiencing the highest number of attacks, followed by manufacturing, professional and legal services, high technology, and construction. Other notable targets include transportation and logistics, wholesale and retail, financial services, and education. This pattern highlights BianLian's focus on sectors that handle sensitive and critical data, making them prime targets for extortion and disruption.
Source: Palo Alto's Unit 42
BianLian's victims
BianLian targeted more than 425 victims including medium to large enterprises in the financial, healthcare, and property development sectors. The group's methodology of leveraging compromised RDP credentials and exfiltrating sensitive data has led to significant financial and reputational damage for the affected organizations.
Source: Ransomware.live
Attack Method
BianLian's attack method
BianLian gains initial access through compromised Remote Desktop Protocol (RDP) credentials, often obtained from initial access brokers or via phishing campaigns. They also exploit vulnerabilities in remote access services.
The group activates local administrator accounts and changes passwords to elevate privileges, enabling further exploitation of the network.
They disable antivirus tools and tamper protection features using PowerShell and Windows Command Shell, modifying the registry to avoid detection.
BianLian harvests credentials from the Local Security Authority Subsystem Service (LSASS) memory and searches for unsecured credentials on the local machine using various command-line tools.
Utilizing tools like Advanced Port Scanner, SoftPerfect Network Scanner, and PingCastle, BianLian conducts thorough network and active directory reconnaissance to identify valuable targets.
The group uses tools like PsExec and RDP with valid credentials to move laterally within the network, exploiting vulnerabilities such as the Netlogon vulnerability (CVE-2020-1472).
BianLian uses malware to enumerate registry and files, copying clipboard data to gather sensitive information for extortion.
They deploy custom backdoors and use legitimate remote access software (e.g., TeamViewer, Atera Agent) to maintain persistence and control over the compromised systems.
Data is exfiltrated using File Transfer Protocol (FTP), Rclone, or Mega, with sensitive files being uploaded to cloud storage services for further leverage in extortion attempts.
The group shifts to data extortion by threatening to release exfiltrated data unless a ransom is paid. They have used tactics such as printing ransom notes on network printers and making threatening calls to victims.
Initial Access
BianLian gains initial access through compromised Remote Desktop Protocol (RDP) credentials, often obtained from initial access brokers or via phishing campaigns. They also exploit vulnerabilities in remote access services.
Privilege Escalation
The group activates local administrator accounts and changes passwords to elevate privileges, enabling further exploitation of the network.
Defense Evasion
They disable antivirus tools and tamper protection features using PowerShell and Windows Command Shell, modifying the registry to avoid detection.
Credential Access
BianLian harvests credentials from the Local Security Authority Subsystem Service (LSASS) memory and searches for unsecured credentials on the local machine using various command-line tools.
Discovery
Utilizing tools like Advanced Port Scanner, SoftPerfect Network Scanner, and PingCastle, BianLian conducts thorough network and active directory reconnaissance to identify valuable targets.
Lateral Movement
The group uses tools like PsExec and RDP with valid credentials to move laterally within the network, exploiting vulnerabilities such as the Netlogon vulnerability (CVE-2020-1472).
Collection
BianLian uses malware to enumerate registry and files, copying clipboard data to gather sensitive information for extortion.
Execution
They deploy custom backdoors and use legitimate remote access software (e.g., TeamViewer, Atera Agent) to maintain persistence and control over the compromised systems.
Exfiltration
Data is exfiltrated using File Transfer Protocol (FTP), Rclone, or Mega, with sensitive files being uploaded to cloud storage services for further leverage in extortion attempts.
Impact
The group shifts to data extortion by threatening to release exfiltrated data unless a ransom is paid. They have used tactics such as printing ransom notes on network printers and making threatening calls to victims.
MITRE ATT&CK Mapping
TTPs used by BianLian
BianLian employs various TTPs aligned with the MITRE ATT&CK framework. Some of the key TTPs include:
TA0001: Initial Access
T1566
Phishing
T1133
External Remote Services
T1078
Valid Accounts
TA0002: Execution
T1059
Command and Scripting Interpreter
TA0003: Persistence
T1136
Create Account
T1098
Account Manipulation
T1078
Valid Accounts
T1053
Scheduled Task/Job
TA0004: Privilege Escalation
T1078
Valid Accounts
T1053
Scheduled Task/Job
TA0005: Defense Evasion
T1112
Modify Registry
T1562
Impair Defenses
T1078
Valid Accounts
TA0006: Credential Access
T1552
Unsecured Credentials
T1003
OS Credential Dumping
TA0007: Discovery
T1482
Domain Trust Discovery
T1135
Network Share Discovery
T1087
Account Discovery
T1083
File and Directory Discovery
T1069
Permission Groups Discovery
T1046
Network Service Discovery
T1033
System Owner/User Discovery
T1018
Remote System Discovery
TA0008: Lateral Movement
T1021
Remote Services
TA0009: Collection
T1115
Clipboard Data
TA0011: Command and Control
T1219
Remote Access Software
T1105
Ingress Tool Transfer
TA0010: Exfiltration
T1567
Exfiltration Over Web Service
T1537
Transfer Data to Cloud Account
T1048
Exfiltration Over Alternative Protocol
TA0040: Impact
T1486
Data Encrypted for Impact
Platform Detections
How to Detect BianLian with Vectra AI
List of the Detections available in the Vectra AI Platform that would indicate a ransomware attack:
FAQs
What is BianLian's primary method of gaining initial access?
BianLian primarily gains initial access through compromised RDP credentials, often obtained via phishing or from initial access brokers.
How does BianLian evade detection?
They disable antivirus tools and tamper protection features using PowerShell and modify the Windows Registry to avoid detection.
What are BianLian's main targets?
BianLian targets critical infrastructure sectors in the U.S. and private enterprises in Australia, including sectors like healthcare, financial services, and property development.
How does BianLian exfiltrate data?
BianLian exfiltrates data using FTP, Rclone, or Mega, uploading sensitive files to cloud storage services.
What changes did BianLian make to their extortion tactics in 2023?
In 2023, BianLian shifted from encrypting victims' systems to focusing on exfiltration-based extortion, threatening to release stolen data unless paid.
Which tools does BianLian use for network discovery?
They use tools like Advanced Port Scanner, SoftPerfect Network Scanner, and PingCastle to identify valuable targets within a network.
How does BianLian escalate privileges within a network?
BianLian activates local administrator accounts and changes passwords to elevate privileges, facilitating further exploitation.
What methods does BianLian use for lateral movement?
BianLian uses PsExec and RDP with valid credentials for lateral movement across the network.
How can organizations protect against BianLian's tactics?
Implement strict controls on remote access tools, disable unnecessary services, enforce strong password policies, and ensure regular software updates and patches.
What role can XDR solutions play in defending against BianLian?
XDR solutions can help by providing comprehensive visibility and automated response capabilities, detecting and mitigating suspicious activities across endpoints, networks, and cloud environments.