Article Details

CISA says BianLian ransomware now focuses only on data theft. The BianLian ransomware operation has shifted its tactics, becoming primarily a data theft extortion group, according to an updated advisory from the U.S. Cybersecurity & Infrastructure Security Agency, the FBI, and the Australian Cyber Security Centre. This new information comes in an update to a joint advisory released in May by the same agencies, which warned about BianLian's shifting tactics involving the use of stolen Remote Desktop Protocol (RDP) credentials, custom Go-based backdoors, commercial remote access tools, and targeted Windows Registry modifications. At the time, BianLian had started a switch to data theft extortion, gradually abandoning file encryption tactics, especially after Avast released a decryptor for the family in January 2023. While BleepingComputer knows of BianLian attacks using encryption towards the end of 2023, the updated advisory says the threat group having shifted exclusively to data extortion since January 2024. "BianLian group originally employed a double-extortion model in which they encrypted victims’ systems after exfiltrating the data; however, they shifted primarily to exfiltration-based extortion around January 2023 and shifted to exclusively exfiltration-based extortion around January 2024," reads CISA's updated advisory. Another point highlighted in the advisory is that BianLian now attempts to obscure their origin by using foreign-language names. However, the intelligence agencies are confident the primary operators and multiple affiliates are based in Russia. The advisory has also been updated with the ransomware gang's new techniques, tactics, and procedures: Based on the above, CISA recommends strictly limiting the use of RDP, disabling command-line and scripting permissions, and restricting the use of PowerShell on Windows systems. BianLian's latest activity Active since 2022, BianLian ransomware has had a prolific year so far, listing 154 victims on its extortion portal on the dark web. Though most of the victims are small to medium-sized organizations, BianLian has had some notable breaches recently, including those against Air Canada, Northern Minerals, and the Boston Children's Health Physicians. The threat group has also recently announced breaches against a global Japanese sportswear manufacturer, a prominent Texas clinic, a global mining group, an international financial advisory, and a major dermatology practice in the U.S., but those have not been confirmed yet.