The Australian Cyber Security Centre (ACSC) and the U.S. Cyber Security and Infrastructure Security Agency (CISA) have just released new intelligence about the BianLian ransomware gang. They’ve noticed a significant shift in how this group operates, particularly in their tactics and strategies.
BianLian emerged around the same time as LockBit in 2022, as the cyber realm changed following the fall of the Conti group. Despite its Chinese name, evidence suggests that BianLian is likely based in Russia, possibly as a cover. The group has gained notoriety for targeting critical national infrastructure in Australia, the U.S., and even the UK.
Typically, BianLian gains access by stealing valid Remote Desktop Protocol (RDP) credentials and then exfiltrates victim data. Historically, they’ve used the double extortion method: encrypting files and threatening to leak data if the ransom isn’t paid. But in 2023, they switched to a different approach called encryption-based extortion. Instead of encrypting files, they leave systems intact, warning victims of serious financial, business, and legal repercussions if they don’t pay up. This shift simplifies their operations, requiring less technical effort, and since January 2024, they’ve exclusively used this method.
The ACSC encourages organizations, especially those in critical infrastructure and small- to medium-sized businesses, to follow their recommendations to mitigate the risks posed by BianLian and other ransomware fighters.
As for their new tactics, BianLian has abandoned traditional ransomware lockers and updated its ransom notes accordingly. They’ve ramped up pressure tactics too—now, they send ransom notes directly to victim company printers and make threatening phone calls to employees. Ahead of their attacks, they’ve employed various updated methods to breach systems. They specifically target public-facing applications on Microsoft Windows and VMware ESXi, using the ProxyShell exploit chain for initial access in addition to RDP.
Once inside, they can now implant a unique backdoor coded in Go, which allows them to install management software like AnyDesk and TeamViewer for ongoing access. They also use tools such as Ngrok and modified open-source utilities to hide their command-and-control traffic.
BianLian has been observed exploiting a vulnerability from Microsoft’s September 2022 Patch Tuesday—CVE-2022-37969—which grants admin-level rights, enhancing their control within the victim’s environment. They’ve historically disabled antivirus tools using PowerShell but are now renaming binaries and scheduled tasks after legitimate services to avoid detection. They even try to pack executables to make detection harder.
For persistence, BianLian has been caught using PsExec and RDP with valid accounts, along with the SMB protocol and webshells on Exchange servers, even creating Azure Active Directory accounts to facilitate further movement.
Andrew Costis from AttackIQ emphasizes the necessity for defenders to grasp these evolving tactics. He pointed out that the shift to exfiltration-based extortion is particularly notable, given that BianLian likely has connections to Russia. With the ongoing geopolitical tensions, this change could enable them to hit targets faster and expand their reach. Costis speculates that this move might save time compared to the lengthy negotiations typically involved in double extortion, suggesting a potential shift in how these groups assess the value of their tactics. It’ll be interesting to see if other ransomware groups follow their lead.