The Australian Cyber Security Centre (ACSC) and the United States’ Cyber Security and Infrastructure Security Agency (CISA), have published updated intelligence on the activities of the dangerous BianLian ransomware operation, after observing a rapid evolution in the gang’s tactics, techniques and procedures (TTPs).
One of a number of gangs that first came to prominence alongside LockBit in 2022 during a shift in the cyber criminal landscape following the demise of the Conti crew, BianLian is almost certainly based in Russia despite the Chinese name – probably an attempt at obfuscation.
Over the past couple of years, it has established a name for itself by targeting critical national infrastructure (CNI) operators in both Australia and the US, with victims also claimed in the UK.
Having gained access to its victims’ environments, usually by stealing valid Remote Desktop Protocol (RDP) credentials, and exfiltrating their data, BianLian historically employed the standard double extortion model, encrypting the victims’ systems and then threatening to leak their data if they weren’t paid off.
However, said the Australians, in 2023 BianLian started to shift to encryption-based extortion, in which systems are left intact and victims are warned of financial, business and legal consequences if payment is not made. Among cyber criminals, this technique may be considered a somewhat easier method of extorting a victim as it requires less technical work. BianLian certainly seems to think so, having exclusively used this method since January 2024.
“FBI, CISA, and ACSC encourage critical infrastructure organisations and small- and medium-sized organisations to implement the recommendations in the mitigations section of the advisory to reduce the likelihood and impact of BianLian and other ransomware and data extortion incidents,” said the ACSC.
New techniques
The most significant change observed is the abandonment of a traditional ransomware locker for encryption and the updating of its standard ransomware note to reflect this – samples of which are provided in the advisory.
It has also adopted more high-pressure techniques in an attempt to pressure its victims into paying. It now sends copies of the ransom note to office printers and employees of affected companies have been on the receiving end of threatening telephone calls.
However, in the run-up to its attacks the gang is also using a number of other updated techniques that defenders should be alert to. A full run-down is available from the ACSC, but among some of the changes some of those observed by the authorities are the targeting of public-facing applications of both Microsoft Windows and VMware ESXi infrastructure, exploiting the vintage ProxyShell exploit chain for initial access, in addition to RDP.
Once inside its target, BianLian now implants a custom, Go-coded backdoor specific to the victim and from there installs remote management and access software, it favours popular products including AnyDesk and TeamViewer, to establish persistence and command-and-control (C2) purposes. It now also appears to be using the Ngrok reverse proxy tool and possibly a modified version of the open source Rsocks utility to establish tunnels from victim networks and cover up where the C2 traffic is heading.
To escalate its privileges within the victim environment, it has recently taken to exploiting CVE-2022-37969. This zero-day, among 64 bugs that Microsoft attempted to quash in its September 2022 Patch Tuesday update, is a privilege elevation vulnerability in the Windows Common Log File System Driver and successfully exploited, grants admin-level rights.
Historically, BianLian has leveraged Power Shell and Windows Command Shell to disable antivirus tools such as Windows Defender and Anti-Malware Scan Interface (AMSI). It has now been observed renaming binaries and scheduled tasks after genuine Windows services and security products and appears to be trying to pack executables using UPX to conceal their code in an attempt to bypass detection tools.
When it comes to establishing persistence and facilitating further lateral movement, the gang has been observed using PsExec and RDP with valid accounts, but has also been spotted using the Server Message Block (SMB) protocol, installing webshells on Exchange servers, and creating Azure Active Directory (AD) accounts.
Know your enemy
Andrew Costis, engineering manager of the Adversary Research Team and AttackIQ, which specialises in MITRE ATT&CK-based cyber attack simulations, said it was vital for defenders to understand and test against the often highly specific TTPs used by gangs such as BianLian.
“The shift to exfiltration-based extortion is interesting, particularly as it’s believed that the BianLian operators are likely based in Russia or have ties to Russia – based on some of the tools they have been observed using,” he observed.
“With the current geopolitical situation unfolding between Russia, Ukraine, and the West, this could be a strategic move to strike their victims faster and ultimately target more victims. This de-prioritisation of double extortion could potentially be a time-saving strategy, as double extortion negotiations take time and resources on both sides,” Costis told Computer Weekly in emailed comments.
“From a value perspective, the intention of this change in tactic suggests that they don’t currently value encryption or double extortion. It will certainly be interesting to see if other ransomware groups follow suit.”