Executive Summary

  • BianLian ransomware surfaced in June 2022 and has been a persistent threat to multiple areas of critical infrastructure primarily in the US and Australia.

  • The ransomware strain is meticulously coded in Go language and compiled as a 64-bit Windows system.

  • Attackers exploit valid Remote Desktop Protocol (RDP) credentials, ProxyShell vulnerability chain (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207), and SonicWall VPN devices during the initial phase of the attack.

  • They leverage open-source tools and command-line scripting for discovery and credential harvesting and exfiltrate victim data via File Transfer Protocol (FTP), Rclone, or Mega.

  • The ransomware group, initially employed a double-extortion model, i.e. encrypting systems with AES-256 in CBC mode (once private data has been exfiltrated from the victim’s network). However, upon the public release of a decryptor from Avast in January 2023, the group resorted to an intensified extortion-only modus operandi, with no system encryption.

Rabindra Dev Bhatta
Rabindra Dev Bhatta

Security Analytics Engineer

Jump To Section

Share This Story

Background

BianLian ransomware, coded in Go language and compiled as a 64-bit Windows system; first reared its head with a double-extortion approach, infiltrating networks, encrypting systems, and then leveraging stolen data demanding ransom under the threat of public exposure. Since its emergence in June 2022, BianLian has emerged as a formidable cybercriminal group specializing in the development, deployment, and data extortion using their infamous ransomware; victimizing 145 entities during the time of publication. With a primary focus on critical infrastructure sectors in the United States and Australia, as well as professional services and property development organizations, they pose a severe threat to numerous entities.

In January 2023, when Avast released a powerful decryptor capable of neutralizing the ransomware's encryption, BianLian made a significant shift in their modus operandi. The cybercrime group behind BianLian responded by adapting their strategy, transitioning to a new form of extortion that no longer involved encrypting the systems of victims. Instead, they focused solely on the theft of sensitive data, using it as leverage to extort their targets. The Federal Bureau of Investigation (FBI) and the Australian Cyber Security Centre (ACSC) confirm this, as they observed a shift exclusively towards exfiltration-based extortion with systems left intact.

BianLian's infiltration tactics rely on the exploitation of valid Remote Desktop Protocol (RDP) credentials, ProxyShell vulnerability chain (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207), and SonicWall VPN devices; while later leveraging open-source tools, and command-line scripting for reconnaissance and credential harvesting. Once inside the systems of a victim, they exfiltrate sensitive data through multiple channels such as File Transfer Protocol (FTP), Rclone, or Mega. BianLian group actors encrypted data on target systems during their double extortion days.

The following section presents the techniques that we uncovered during our analysis.

**All new detection rules are available as part of Logpoint’s latest release, as well as through the Logpoint Help Center.

Logpoint Emerging Threats Protection Service provides service subscribers with customized investigation and response playbooks, tailored to your environment. Contact the Global Services team here.