U.S. and Australian authorities have warned critical infrastructure organizations about BianLian ransomware gang’s data extortion attacks.
On May 16, 2023, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Cyber Security Centre (ACSC) published a joint advisory on BianLian’s change of tactics from traditional ransomware encryption to data exfiltration-based extortion.
BianLian ransomware gang abandons encryption for data extortion attacks
Since June 2022, the BianLian ransomware gang has targeted U.S. and Australian critical infrastructure organizations using the double extortion model. The process involves encrypting the victim’s devices, exfiltrating data, and threatening to publish sensitive information unless a ransom is paid.
However, the ransomware gang abandoned encryption attacks and adopted data extortion attacks from January 2023. The switch coincided with Avast’s release of a BianLian ransomware decryptor.
“BianLian group originally employed a double-extortion model in which they encrypted victims’ systems after exfiltrating the data; however, around January 2023, they shifted to primarily exfiltration-based extortion,” the agencies noted.
According to Jon Miller, CEO and Co-founder at Halcyon, the abandonment of encryption proved “how successful the double extortion strategy is for ransomware groups.”
“It works so well that we will likely see more groups follow suit and forego the hassle of developing and managing the encryption and decryption process in favor of a less complicated attack,” noted Miller.
BianLian’s TTPs, indicators of compromise, and mitigations
According to the FBI, CISA, and ACSC, the ransomware gang gains access to victims’ networks through valid Remote Desktop Protocol (RDP) credentials. Next, the group leverages open-source tools and command-line scripting to discover and harvest credentials.
“With Verizon reporting that 61% of all security breaches involve the exploitation of credentials, and StrongDM reporting that 55% of organizations maintain backdoor access to infrastructure, it’s very likely a majority of ransomware incidents are spurred by poor access management practices,” said Justin McCarthy, the CTO and co-founder of StrongDM.
After gaining access, the ransomware gang exfiltrates victim data via File Transfer Protocol (FTP), Rclone, or Mega, and threatens to publish the data unless a ransom is paid.
BianLian’s backdoor is customized for each victim and enables the threat actor to install remote management tools such as TeamViewer, Atera Agent, SplashTop, or AnyDesk to maintain persistence. The ransomware gang also creates or activates administrator accounts and changes their passwords.
Once inside, BianLian disables antivirus software such as Windows Defender and modifies the Windows registry to defeat endpoint protection solutions such as Sophos SAVEnabled.
“Unfortunately, endpoint detection and response (EDR) solutions, which were initially designed to identify behavior and were utilized for forensic examination by analysts, also have a high susceptibility to exploitation themselves,” said Randeep Gill, Principal of Cybersecurity Strategy at Exabeam. “If an adversary were to take advantage of an EDR tool, they would have access to a variety of an organization’s telemetry, including user and identity authentication, access to files, system variables and key business applications.”
According to Redacted, the ransomware group also tailors its message to specific victims to increase the effectiveness of its data extortion attacks.
Meanwhile, the agencies advised network defenders to study the listed BianLian’s tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to prevent data extortion attacks.
Additionally, they recommended mitigations such as limiting RDP and other remote access tools and services, disabling or limiting command-line scripting, and updating and restricting Windows Powershell.
“Beyond deploying cyber defenses to protect against data theft, companies must encrypt any data retained and have clear data retention guidelines,” said Dror Liwer, co-founder of Coro. “The guiding principle should be: if the data isn’t absolutely necessary, it should not be retained. Unencrypted data should not be considered an asset, but rather, a liability.”
Ransomware is shifting towards exfiltration-based extortion
Some ransomware gangs like Lapsus$ and Karakurt have focused on data extortion attacks from the start, but more ransomware groups are adopting this strategy. Others like LockBit have directed their affiliates to avoid encrypting certain organizations, such as healthcare institutions and industries, and focus on data extortion attacks.
However, the shift is unlikely to be voluntary, seemingly resulting from the ransomware groups making difficult choices after facing harsh realities on the ground.
In the era of multiple offline backups and slim chances of recovering stolen data after paying a ransom, many organizations opt to reconstruct their networks.
Additionally, encrypting and managing decryption keys introduces additional overheads to the ransomware operation, thus forcing cyber gangs to prioritize the simpler and less laborious data extortion attacks.
Encrypting devices also attracts unwanted attention, including from law enforcement, thus preventing organizations from concealing data breaches. Many businesses are unlikely to pay ransom to protect their reputation or avoid legal consequences once an attack goes public.
Lastly, the cybersecurity community and law enforcement agencies have succeeded in developing free decryptors, including BianLian’s, putting the ransomware developer’s effort to waste.
“More often than not, extortion via data leak is the modus operandi of choice,” said Tom Kellermann, SVP of Cyber Strategy at Contrast Security. “The shift is due to the successful collaboration between law enforcement and the cyber community to not only decrypt the ransomware but to disrupt the infrastructure that sustains it.”
“However, cybercrime cartels will short the stock of the victim company prior to the data leak to earn a return, in a crime called ‘shoxing.’,” added Kellermann.
