The US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Australian Cyber Security Centre (ACSC) have issued a joint warning to critical infrastructure organizations about the BianLian ransomware group's attacks. The group has been active since at least June 2022 and has targeted multiple critical infrastructure organizations in the US and private entities in Australia, including a critical infrastructure organization.
The BianLian gang gains access to victim networks through remote desktop protocol (RDP) credentials, which are likely acquired from initial access brokers or phishing attacks. Since January 2023, the group's focus has shifted primarily to data exfiltration, and they are no longer deploying file-encrypting ransomware on victims' systems. Upon gaining access to a network, the group deploys a custom Go-based backdoor tailored to each victim and installs remote management and access software such as Atera Agent, AnyDesk, SplashTop, and TeamViewer.
The group has been observed creating administrator accounts, changing passwords for existing accounts, disabling antivirus software, and modifying Windows registries to disable and uninstall Sophos endpoint protection solutions. For reconnaissance, BianLian uses tools like Advanced Port Scanner, SoftPerfect Network Scanner, SharpShares, PingCastle, and Impacket, along with command-line scripting. The group also relies on LSASS memory dumps and command-line scripting for credential harvesting and uses RDP Recognizer to brute force RDP passwords or identify RDP vulnerabilities.
For lateral movement, the gang has been seen using PsExec and RDP with valid credentials. In one instance, the group exploited the Netlogon vulnerability (CVE-2020-1472) and connected to an Active Directory domain controller. Victims' data is typically harvested using PowerShell scripts, and the data is exfiltrated over FTP and via tools such as Rclone. In Australia, the group has been observed using the Mega file-sharing service for data exfiltration.
In cases where ransomware was deployed and executed, the .bianlian extension was appended to the encrypted files. The ransom notes informed victims that the ransomware searched for, encrypted, and exfiltrated business, client, financial, technical, and personal files. The BianLian group threatens to publish the exfiltrated data on a leak site and instructs victims to contact them via Tox chat and pay a ransom in cryptocurrency. To pressure victims into paying, the group would print the ransom note on the company's printers and contact employees via phone.
CISA, FBI, and ACSC encourage organizations to audit the use of RDP and other remote access tools, disable command-line scripting, restrict PowerShell usage, control software execution, audit user accounts, keep all systems and software updated, implement strong authentication practices, maintain offline backups, and implement a recovery plan.