Ransomware group BianLian was the subject of a joint cybersecurity advisory last week, with the Australian Cyber Security Centre (ACSC), Federal Bureau of Investigations (FBI), and Cybersecurity and Infrastructure Security Agency (CISA) warning that the cybercriminal group is increasingly active and now focusing on exfiltration-based extortion.
The Australian Cyber Security Centre, FBI and CISA issued a joint advisory on a change of criminal tactics by the ransomware group.
BianLian is known to have carried out attacks against Australian and US companies, as well as on providers of critical infrastructure in both nations.
The FBI says BianLian has targeted multiple US critical infrastructure entities since mid-2000. Meanwhile, the ACSC says the group primarily targets private enterprises in Australia, but has also attempted to extort at least one local critical infrastructure entity.
In the joint advisory, the agencies state BianLian has moved from a ransomware model to one focused on data extortion. Instead of encrypting data and demanding a ransom to have it unlocked, BianLian now steals data and blackmails victims with threats to leak it.
“BianLian group actors use PsExec and RDP with valid accounts for lateral movement,” the joint advisory says. “Prior to using RDP, BianLian actors used Command Shell and native Windows tools to add user accounts to the local remote desktop users’ group, modified the added account’s password, and modified Windows firewall rules to allow incoming RDP traffic.”
Earlier this year, BianLian’s dark website listed 118 past targets, including sector breakdowns with healthcare the largest targeted sector. Seven percent of targets were in Australia, 11% in the UK, and 71% in the US.
Commenting on the advisory, Liam Dermody, Director of Threat Analysis for Darktrace Australia and New Zealand, says, "The change in tactic was likely forced by the availability of a free BianLian ransomware decryptor, which was made available online earlier this year.
"This decryptor effectively made BianLian’s previous ransomware tactics useless and forced it to pivot to new methods of extorting victims," he says.
Dermody says the effectiveness of this pivot to extortion for BianLian and groups like it is unclear, and the availability of tools like the decryptor calls into question the business model of cybercriminal organisations.
"If companies refuse to be blackmailed when their data is stolen, and with open access to online tools which can unlock encrypted data, it’s possible ransomware, and the criminal business model underpinning it, could become a thing of the past," he says.
"What is certain, however, is cybercriminals will continue to innovate, finding new ways to attack businesses and critical infrastructure as a way of making money," Dermody says.
"Australian businesses can’t afford to relax their cybersecurity posture, even though it appears one critical attack vector – ransomware – is on its way to being neutralised."