BianLian Ransomware Group Adopts New Tactics, Posing Significant Risk
Summary:
The US and Australian governments have issued a joint advisory warning critical infrastructure organizations about evolving tactics used by the BianLian ransomware group, a Russia-linked cybercriminal organization. This group has shifted its approach to focus exclusively on exfiltration-based extortion since January 2024, abandoning its earlier double-extortion model that combined data theft with system encryption. BianLian now exfiltrates victim data using tools like FTP, Rclone, or Mega and threatens to release it unless a ransom is paid. Victims are warned of financial, business, and legal consequences if they refuse to comply.
Security Officer Comments:
Active since 2022, BianLian has targeted multiple critical infrastructure sectors in the US and private enterprises in Australia, including an attack on Australian mining company Northern Minerals in 2024. The group has adopted new tactics, techniques, and procedures (TTPs) to enhance its effectiveness. For initial access, it now exploits public-facing applications, such as using the ProxyShell exploit chain, in addition to compromised Remote Desktop Protocol (RDP) credentials. For command and control, BianLian employs tools like Ngrok and modified Rsocks utilities, replacing its earlier reliance on custom backdoors written in Go. Its defense evasion strategies include renaming binaries to resemble legitimate files, using UPX packing to hide malicious code, and manipulating PowerShell and Windows Command Shell to disable antivirus tools. To maintain persistence, the group has created unauthorized domain admin accounts, deployed webshells on Exchange servers, and leveraged Azure AD accounts.
Suggested Corrections:
The FBI, CISA and ASD’s ACSC issued specific recommendations for organizations to help them defend against BianLian tactics, alongside more general controls such as multi-factor authentication and privileged access management. These include:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a
The US and Australian governments have issued a joint advisory warning critical infrastructure organizations about evolving tactics used by the BianLian ransomware group, a Russia-linked cybercriminal organization. This group has shifted its approach to focus exclusively on exfiltration-based extortion since January 2024, abandoning its earlier double-extortion model that combined data theft with system encryption. BianLian now exfiltrates victim data using tools like FTP, Rclone, or Mega and threatens to release it unless a ransom is paid. Victims are warned of financial, business, and legal consequences if they refuse to comply.
Security Officer Comments:
Active since 2022, BianLian has targeted multiple critical infrastructure sectors in the US and private enterprises in Australia, including an attack on Australian mining company Northern Minerals in 2024. The group has adopted new tactics, techniques, and procedures (TTPs) to enhance its effectiveness. For initial access, it now exploits public-facing applications, such as using the ProxyShell exploit chain, in addition to compromised Remote Desktop Protocol (RDP) credentials. For command and control, BianLian employs tools like Ngrok and modified Rsocks utilities, replacing its earlier reliance on custom backdoors written in Go. Its defense evasion strategies include renaming binaries to resemble legitimate files, using UPX packing to hide malicious code, and manipulating PowerShell and Windows Command Shell to disable antivirus tools. To maintain persistence, the group has created unauthorized domain admin accounts, deployed webshells on Exchange servers, and leveraged Azure AD accounts.
Suggested Corrections:
The FBI, CISA and ASD’s ACSC issued specific recommendations for organizations to help them defend against BianLian tactics, alongside more general controls such as multi-factor authentication and privileged access management. These include:
- Auditing remote access tools on your network and reviewing logs for execution of remote access software to detect abnormal use of programs running as a portable executable
- Implementing application controls to manage and control execution of software, including allowlisting remote access programs
- Strictly limiting the use of RDP and other remote desktop services
- Disabling command-line and scripting activities and permissions
- Restricting the use of PowerShell, using Group Policy, and only grant to specific users on a case-by-case basis
- Update Windows PowerShell or PowerShell Core to the latest version and uninstall all earlier PowerShell versions
- Configuring the Windows Registry to require User Account Control (UAC) approval for any PsExec operations
- Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a