Security agencies in the US and Australia are warning businesses to beware of ransomware gang BianLian. The FBI and the Australian Cyber Security Centre (ACSC) say the gang has been known to target critical national infrastructure.
The FBI and the ACSC have released a joint advisory to make businesses aware of the danger posed by BianLian, “a ransomware developer, destroyer and data extortion cybercriminal group that has targeted organisations in multiple US critical infrastructure sectors since June 2022”.
BianLian targets critical national infrastructure
Both US and Australian critical national infrastructure has been targeted, the alert says. The group gains access to victim systems through valid Remote Desktop Protocol (RDP) credentials, uses open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrates victim data via File Transfer Protocol (FTP), Rclone, or Mega.
BianLian gang members then extort money by threatening to release data if payment is not made. The advisory mentions that the gang has now stopped using the double extortion model, in which data is stolen before it is encrypted, so ransomware gangs can threaten to release sensitive data as well as charge for the decryption key.
Instead the group switched to primarily exfiltrating sensitive data around January 2023.
Hüseyin Can Yuceel, a security researcher at Picus Security told Tech Monitor that BianLian is not the only ransomware gang engaged in encryption-less ransomware:
“We observed a significant rise in encryption-less extortion attacks that only relies on the exfiltration of sensitive data,” he says. “Although these attacks do not leverage the power of cryptographic encryption algorithms, they still pose significant risks to organisations,” he explained. “In encryption-less extortion attacks, threat actors steal their victims’ confidential data and threaten to disclose stolen data unless the demanded ransom is paid.”
How to combat BianLian
The FBI, US cybersecurity agency CISA, and ACSC encourage critical infrastructure providers and small businesses to audit remote access tools on their networks to identify currently used and/or authorized software. They also say organisations should be reviewing logs for execution of remote access software to detect abnormal use of programs running as a portable executable.
To further protect themselves, companies should deploy security software to detect instances of remote access software only being loaded in memory. They could also authorise remote access solutions only to be used from within their network over approved remote access solutions, such as virtual private networks or virtual desktop interfaces, the advisory suggests.