BianLian is a cybercriminal group that deals in data extortion using ransomware
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Australian Cyber Security Centre (ACSC) have released a joint Cybersecurity Advisory to provide information on the BianLian ransomware and data extortion group. This advisory is part of the ongoing #StopRansomware effort, which aims to help organizations defend against ransomware attacks by sharing advisories detailing different ransomware variants and threat actors.
BianLian is a cybercriminal group that develops, deploys, and conducts data extortion using ransomware. Since June 2022, they have targeted organizations in critical infrastructure sectors in the United States and Australia, as well as professional services and property development sectors. The group gains access to victim systems through valid Remote Desktop Protocol (RDP) credentials and uses open-source tools and command-line scripting for reconnaissance and credential harvesting. They exfiltrate victim data using File Transfer Protocol (FTP), Rclone, or Mega. The BianLian group then extorts money by threatening to release the stolen data unless a ransom is paid. Initially, they employed a double-extortion model where they encrypted victims’ systems after exfiltrating the data, but they have since shifted primarily to exfiltration-based extortion.
The advisory includes known tactics, techniques, and procedures (TTPs) as well as indicators of compromise (IOCs) associated with the BianLian ransomware and data extortion group. It encourages critical infrastructure organizations, as well as small- and medium-sized organizations, to implement the mitigation recommendations provided in the advisory to reduce the likelihood and impact of BianLian and other ransomware incidents.
For more information on BianLian and other ransomware threats, as well as access to no-cost resources, organizations can visit the stopransomware.gov website and review the #StopRansomware advisories.
