CISA Updates BianLian Ransomware Advisory with Shift to Pure Data Extortion

New details from CISA provide further insights into the BianLian ransomware group. The update emphasizes a critical operational shift in their tactics, as 'BianLian shifted primarily to exfiltration-based extortion around January 2023 and shifted to exclusively exfiltration-based extortion around January 2024,' according to CISA and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC). Additionally, the updated analysis notes that 'BianLian is a ransomware developer, deployer, and data extortion cybercriminal group, likely based in Russia, with multiple Russia-based affiliates.' These updates point to the evolving threat posed by the group and emphasize their focus on leveraging data exfiltration as the core of their extortion strategies. The group targets critical infrastructure sectors globally and applies relentless pressure on victims: 'BianLian group engages in additional techniques to pressure the victim into paying the ransom; for example, printing the ransom note to printers on the compromised network. Employees of victim companies have also reported receiving threatening telephone calls from individuals associated with the BianLian group,' CISA reports.

BianLian employs a variety of tactics, techniques, and procedures (TTPs). They typically gain initial access through phishing campaigns and RDP credentials purchased from initial access brokers. The updated findings reveal the group’s targeting of public-facing systems, exploiting Windows and ESXi infrastructure vulnerabilities. For instance, the operators have been observed exploiting ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) and installing webshells on compromised Microsoft Exchange servers. Cementing covert command and control (C2) is facilitated through tools such as remote access software, Ngrok, and 'a modified version of the open-source Rsocks utility.' To achieve privilege escalation, the group exploits vulnerabilities like CVE-2022-37969 affecting the Windows Common Log File System Driver. Living-off-the-land binaries (LOLBins), such as Windows Command Shell and PowerShell, are critical for disabling monitoring and security services, with PowerShell scripts frequently used for internal reconnaissance efforts.

Native Windows commands are also employed to enumerate systems and Active Directory. In addition, reconnaissance tools like Advanced Port Scanner and SoftPerfect Network Scanner assist in discovery efforts. Credentials are harvested from LSASS, Impacket's secretsdump.py script, the Active Directory domain database (NTDS.dat), and session information through SessionGopher. To secure persistence, the group creates new user accounts, changes passwords for the created accounts, and adds them to the local Remote Desktop Users group. New accounts have also been added in Azure AD. Registry keys are modified to bypass user authentication for RDP and to disable protections for security monitoring services, including Sophos and Windows Defender.

For lateral movement, BianLian relies on PsExec and RDP accounts. They have also created firewall rules to enable RDP and demonstrated the ability to exploit the ZeroLogon vulnerability (CVE-2020-1472). The group prioritizes data exfiltration, leveraging tools like Rclone, Mega, and FTP to transfer sensitive information off victim networks. PowerShell scripts streamline data collection and compression, preparing files for exfiltration. 'According to the ransom note, BianLian group specifically looked for, encrypted, and exfiltrated financial, client, business, technical, and personal files,' CISA warns. The stolen data is then used for extortion, with victims frequently facing threats of public exposure if ransom demands are not met.