US Better Business Bureau consumer watchdog listed by ransom gang

The US Better Business Bureau (BBB), an independent organization that protects consumers from unfair business practices in all 50 states and Canada, has been claimed by the BianLian ransomware group.

The non-profit consumer protection agency was listed on the gang’s dark blog late Tuesday, with claims it had pilfered 1.2 terabytes of sensitive data from the organization.

“Better Business Bureau aim is to foster relationships between businesses and consumers," the group wrote. The BBB website domain connects to all its 100 branches located across the US and Canada’s 10 provinces and three territories.

BianLian claims to have infiltrated the BBB offices in Arizona, which according to the Pacific Southwest region, comprises one of the largest Bureau branches in the nation, representing over 20,000 BBB-accredited businesses.

BianLian BBB 1
BianLian leak site. Image by Cybernews.

The branch covers not only all major cities in Arizona, such as Phoenix, Scottsdale, Lake Havasu City, and Yuma, but also the Southern California cities of San Diego and Newport Beach.

"This company is far from being a simple non-profit organization, and far from being innocent,” the non-affiliated ransomware group said on its leak site.

“Data of this company will become available soon. Contact us if you want to get it, or if you want to protect it,” it said, listing the Bureau's revenue at $400 million.

The victim post also boasts the personal contact information of BBB Arizona’s CEO Matt Fehling and other C-Suite execs.

BianLian stated it was able to steal “1.2 Tb” of data from the Bureau’s systems, to include:

  • Accounting, budget, financial data.
  • Contract data and NDA’s.
  • Files from CFO PC.
  • Operational and business files.
  • Email and PST archives.
BianLian BBB 2
BBB sticker on the business front door. (L) Image by Shutterstock. BianLian leak site. Image by Cybernews.

Cybernews has reached out to the BBB, both national offices and the Arizona branch, but did not hear back from either before publishing.

Who is BianLian?

The BianLian ransomware group appeared on the cybercriminal circuit back in June 2022, although the group is considered by experts as a relatively inexperienced one.

The group develops and deploys its own ransomware variant, mainly targeting critical infrastructure sectors in the US and Australia, according to a 2023 advisory alert by the US Cybersecurity & Infrastructure Security Agency (CISA).

BianLian, which tends to go after small and midsize businesses, has since branched out to claim victims in the medical, professional, and real estate industries. In January, the group announced commercial airline carrier Air Canada as its latest victim.

The gang is also said to have evolved from first stealing data and then encrypting its victims’ systems (known as double extorsion) to a primarily data exfiltration-based extortion model.

The threat actors typically gain access to victims through the use of valid Remote Desktop Protocol (RDP) credentials, using open-source tools and command-line scripting for discovery and credential harvesting, the warning bulletin stated.

The group has not ben affiliated with any specific country, although the phrase BianLian is translated as “face-changing” in Chinese.

It is the term used for an ancient performance art, known as Chinese Sichuan opera. The performance style, which uses colorful costumes and masks, is rarely seen outside mainland China due to protected secrecy law.