A joint Cybersecurity Advisory from government agencies in the U.S. and Australia, and published by the Cybersecurity and Infrastructure Security Agency (CISA,) is warning organizations of the latest tactics, techniques, and procedures (TTPs) used by the BianLian ransomware group.
BianLian is a ransomware and data extortion group that has been targeting entities in the U.S. and Australian critical infrastructure since June 2022.
Part of the #StopRansomware effort, the advisory is based on investigations from the Federal Bureau of Investigation (FBI) and Australian Cyber Security Centre (ACSC) as of March 2023. It aims to provide defenders with information that allows them to adjust protections and strengthen their security stance against BianLian ransomware and other similar threats.
BianLian attack tactics
BianLian initially employed a double-extortion model, encrypting systems after stealing private data from victim networks, and then threatening to publish the files.
However, since January 2023, when Avast released a decryptor for the ransomware, the group switched to extortion based on data theft without encrypting systems.
This tactic is still compelling as the incidents are essentially data breaches that come with reputation damage on the victim’s part, undermine customer trust, and introduce legal complications.
CISA’s advisory warns that BianLian breaches systems using valid Remote Desktop Protocol (RDP) credentials, possibly purchased from initial access brokers or acquired through phishing.
BianLian then uses a custom backdoor written in Go, commercial remote access tools, and command-line and scripts for network reconnaissance. The last stage consists of exfiltrating victim data via the File Transfer Protocol (FTP), the Rclone tool, or the Mega file hosting service.
To evade detection from security software, BianLian leverages PowerShell and the Windows Command Shell to disable running processes associated with antivirus tools. The Windows Registry is also manipulated to neutralize tamper protection provided by Sophos security products.
The recommended mitigations refer to limiting the use of RDP and other remote desktop services, disabling command-line and scripting activities, and restricting the use of PowerShell on critical systems.
The advisory recommends several measures that can help defend the network:
- Audit and control the execution of remote access tools and software on your network.
- Restrict usage of remote desktop services like RDP and enforce stringent security measures.
- Limit PowerShell use, update to the latest version, and enable enhanced logging.
- Regularly audit administrative accounts and employ the principle of least privilege.
- Develop a recovery plan with multiple copies of data stored securely and offline.
- Adhere to NIST standards for password management, including length, storage, reuse, and multi-factor authentication.
- Regularly update software and firmware, segment networks for improved security, and actively monitor network activity.
“FBI, CISA, and ACSC encourage critical infrastructure organizations and small- and medium-sized organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of BianLian and other ransomware incidents.” – CISA.
More detailed information on the recommended mitigations, indicators of compromise (IoCs), command traces, and BianLian techniques are available in the full bulletins from CISA and the ACSC.