BianLian, a notorious Russian ransomware ring, has seemingly abandoned the classic ransomware playbook. The FBI and cyber authorities warn that the gang is now following a new trend and shifting to data exfiltration-based extortion.
BianLian is a notorious ransomware developer, deployer, and data extortion cybercriminal group, likely based in Russia. It has multiple Russia-based affiliates.
Since June 2022, the menace has been attacking organizations in the US, critical infrastructure in Australia, professional services, and property development sectors.
Originally, the gang employed the usual double-extortion model, in which they first encrypted victims’ systems after exfiltrating the data. However, the new developments prompted a warning from the cyber security authorities.
“They shifted primarily to exfiltration-based extortion around January 2023 and shifted to exclusively exfiltration-based extortion around January 2024,” the joint alert by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Cyber Security Centre reads.
“BianLian then extorts money by threatening to release data if payment is not made.”
Prior to January 2024, BianLian used an encryptor (encryptor.exe) that left all encrypted files with the .bianlian extension. It created a ransom note in each affected folder, directing users to contact the gang and warning them not to attempt to recover encrypted files, as that could lead to a complete loss.
The updated ransom notes state that BianLianb has exfiltrated the data and threatens to leak it unless the ransom is paid. The gang leaves three days until they start “emailing and calling your partners and employees with notes of your company’s breach.”
“After that, your data will be uploaded. Your competitors, partners, clients, authorities, lawyers, and tax agents will be able to access it. We will start mailing and calling your clients,” the new ransom note reads.
The gang also states that it only has financial motivations.
FBI warns that the BianLian group engages in additional techniques to pressure the victim into
paying the ransom. It has been observed printing ransom notes using the printers on compromised networks.
“Employees of victim companies have also reported receiving threatening telephone calls from individuals associated with the BianLian group,” the FBI warned.
The gang is known to gain initial access to victim systems by exploiting valid Remote Desktop Protocol (RDP) credentials. It uses open-source tools and command-line scripting to discover and harvest credentials and exfiltrate the valuable data via FTP (File Transfer Protocol), Rclone, or Mega.
The authorities also noted that multiple ransomware groups, including BIanLian, now seek to misattribute location and nationality by choosing foreign-language names.
They urge critical infrastructure and other organizations to implement the mitigations provided in the advisory, such as limiting RDP access, disabling unnecessary scripting capabilities, implementing time-based access privileges, and others.
Your email address will not be published. Required fields are markedmarked