BianLian Ransomware Pivots From Encryption to Pure Data-Theft Extortion
The BianLian ransomware group is ramping up its operations and maturing as a business, moving more swiftly than ever to compromise systems. It’s also moving away from encryption to pure data-theft extortion tactics, in cyberattacks that have so far bagged at least 116 victims, researchers have found.
BianLian, first discovered last July, hasn’t deviated much from its initial tactic: deploying a custom go-based backdoor once it infiltrates a network. The functionality of the malware essentially remains the same except for a few tweaks, researchers from Redacted said in a blog post published today.
However, the swiftness with which the group’s command-and-control server (C2) deploys the backdoor has increased, and the group notably has moved away from ransoming encrypted files to focusing more on pure data-leak extortion as a means to extract payments from victims, the researchers said.
“BianLian has discovered that they don’t need to actually encrypt victim networks to get paid,” Adam Flatley, vice president of intelligence at Redacted, says.
This shift to focus on data-leak extortion is “extremely dangerous,” because it allows the group to take the time and effort to tailor the threats to specific victims and exert more pressure to pay ransoms, he adds.
“BianLian will have an even stronger pressure position on trying to force their victims to not work with the FBI, to not report the incident, and just pay the ransom and move on,” Flatley says.
BianLian’s motivation for changing its encryption strategy is likely a response to Avast’s release of an encryption tool for organizations that have been targets of the group to unlock their files, the researchers noted.
Given that BianLian has used double-extortion methods from the outset — threatening to release a victim organization’s stolen data online if a ransom wasn’t paid by a certain deadline — the group decided to skip the encryption step and go right to extortion, according to Redacted.
Maturing As a Cyberattack Business
This shift is part of BianLian’s overall evolution and maturation as a business, the researchers said. While from its inception the group has had “a high level of operational security and skill in network penetration,” they now appear to be hitting their stride in terms of the actual business of running a cybercriminal extortion gang.
Indeed, moving away from the unique encryption method that it displayed in early attacks is a smart business move, Flatley says, particularly as an evasion tactic. Because data theft does not cause network nor business disruption, it calls less attention to BianLian’s activity, “which means their operations can fly more under the radar,” he says.
“When business services are disrupted, it’s very hard to keep an event quiet because customers and business partners start to notice that services are down, for example,” Flatley says.
Another thing the group has going for it to achieve success with this new strategy is a faster time to deploy a backdoor on a network once they’ve gained initial access, the researchers said. This speed is linked to BianLian’s strong C2 server game, with the group bringing close to 30 new ones online each month, each with a typical lifetime of about two weeks, they said.
Once BianLian establishes a C2 connection to a victim network, it now deploys its backdoor in mere minutes — which means that by the time security administrators discover a BianLian C2, “it is highly likely that the group has already established a solid foothold into a victim’s network,” the researchers said.
While it’s difficult to know how many victims BianLian has compromised, as of March 9, the group has detailed 116 victim organizations on its leak site, the researchers noted. Of those victims, healthcare organizations represent the single largest industry vertical victimized by the group — a shift from early attacks, which focused mainly on the media and entertainment sector.
Shoring Up Cyber Defense Against Data Theft & Extortion
With BianLian and other ransomware group’s pivoting to pure extortion tactics, enterprises must also make changes to how they defend against these attacks, the researchers said.
“They will need to focus even more on techniques that can help them avoid having to pay the ransom in double-extortion scenarios,” Flatley says.
Some of those techniques include a stronger prevention strategy against easily thwarted attacks, as well as quicker detection of “unpreventable” network intrusions, he says. This can be done by “following best practices on passwords and multifactor authentication, aggressively patching your systems in a prioritized and enforced regime, and providing security training for your employees,” Flatley wrote in a blog post on how organizations can avoid paying a ransom.
Shoring up incident response as well as having a plan ahead of an attack to prepare for ransom demands can also help organizations avoid the worst outcome of extortion-based attacks, Flatley says.
As part of the former, Flatley notes in his post that organizations should ensure that they have good system backups, that those backups are secured effectively so an attacker can’t access them, and that the restoration process is fully tested to ensure it works correctly.