View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
May 17, 2023updated 18 May 2023 10:13am

BianLian ransomware gang changes tactics as it targets US and Australia

The gang has recently stopped encrypting data, opting to concentrate its efforts solely on extortion, law enforcement agencies say.

By Claudia Glover

Security agencies in the US and Australia are warning businesses to beware of ransomware gang BianLian. The FBI and the Australian Cyber Security Centre (ACSC) say the gang has been known to target critical national infrastructure.

The FBI and the ACSC release a joint advisory warning against data extortion gang BianLian. (Photo by Dzelat/Shutterstock)

The FBI and the ACSC have released a joint advisory to make businesses aware of the danger posed by BianLian, “a ransomware developer, destroyer and data extortion cybercriminal group that has targeted organisations in multiple US critical infrastructure sectors since June 2022”.

BianLian targets critical national infrastructure

Both US and Australian critical national infrastructure has been targeted, the alert says. The group gains access to victim systems through valid Remote Desktop Protocol (RDP) credentials, uses open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrates victim data via File Transfer Protocol (FTP), Rclone, or Mega.

BianLian gang members then extort money by threatening to release data if payment is not made. The advisory mentions that the gang has now stopped using the double extortion model, in which data is stolen before it is encrypted, so ransomware gangs can threaten to release sensitive data as well as charge for the decryption key.

Instead the group switched to primarily exfiltrating sensitive data around January 2023.

Hüseyin Can Yuceel, a security researcher at Picus Security told Tech Monitor that BianLian is not the only ransomware gang engaged in encryption-less ransomware:

“We observed a significant rise in encryption-less extortion attacks that only relies on the exfiltration of sensitive data,” he says. “Although these attacks do not leverage the power of cryptographic encryption algorithms, they still pose significant risks to organisations,” he explained. “In encryption-less extortion attacks, threat actors steal their victims’ confidential data and threaten to disclose stolen data unless the demanded ransom is paid.”

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

How to combat BianLian 

The FBI, US cybersecurity agency CISA, and ACSC encourage critical infrastructure providers and small businesses to audit remote access tools on their networks to identify currently used and/or authorized software. They also say organisations should be reviewing logs for execution of remote access software to detect abnormal use of programs running as a portable executable.

To further protect themselves, companies should deploy security software to detect instances of remote access software only being loaded in memory. They could also authorise remote access solutions only to be used from within their network over approved remote access solutions, such as virtual private networks or virtual desktop interfaces, the advisory suggests.

Read more: ABB ‘suffers cyberattack’ by ransomware gang Black Basta

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.