BianLian ransomware, coded in Go language and compiled as a 64-bit Windows system; first reared its head with a double-extortion approach, infiltrating networks, encrypting systems, and then leveraging stolen data demanding ransom under the threat of public exposure. Since its emergence in June 2022, BianLian has emerged as a formidable cybercriminal group specializing in the development, deployment, and data extortion using their infamous ransomware; victimizing 145 entities during the time of publication. With a primary focus on critical infrastructure sectors in the United States and Australia, as well as professional services and property development organizations, they pose a severe threat to numerous entities.
In January 2023, when Avast released a powerful decryptor capable of neutralizing the ransomware's encryption, BianLian made a significant shift in their modus operandi. The cybercrime group behind BianLian responded by adapting their strategy, transitioning to a new form of extortion that no longer involved encrypting the systems of victims. Instead, they focused solely on the theft of sensitive data, using it as leverage to extort their targets. The Federal Bureau of Investigation (FBI) and the Australian Cyber Security Centre (ACSC) confirm this, as they observed a shift exclusively towards exfiltration-based extortion with systems left intact.
BianLian's infiltration tactics rely on the exploitation of valid Remote Desktop Protocol (RDP) credentials, ProxyShell vulnerability chain (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207), and SonicWall VPN devices; while later leveraging open-source tools, and command-line scripting for reconnaissance and credential harvesting. Once inside the systems of a victim, they exfiltrate sensitive data through multiple channels such as File Transfer Protocol (FTP), Rclone, or Mega. BianLian group actors encrypted data on target systems during their double extortion days.
The following section presents the techniques that we uncovered during our analysis.
**All new detection rules are available as part of Logpoint’s latest release, as well as through the Logpoint Help Center.
Logpoint Emerging Threats Protection Service provides service subscribers with customized investigation and response playbooks, tailored to your environment. Contact the Global Services team here.