Researchers Spot Snowballing BianLian Ransomware Gang Activity
A new player to the ransomware space called BianLian is ramping up activity, and has already targeted organizations in Australia, North America, and the United Kingdom.
According to an advisory from cybersecurity firm Redacted, there has been a “troubling” rise in the rate at which BianLian is bringing new command-and-control (C&C) servers online.
The ransomware was created with Golang (Go), the Google-created open source programming language, and targets SonicWall VPN devices and the Microsoft Exchange Server ProxyShell vulnerability chain (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).
“While we lack the insight to know the exact cause for this sudden explosion in growth, this may signal that they are ready to increase their operational tempo, though whatever the reason, there is little good that comes from a ransomware operator having more resources available to them,” the researchers noted in the Friday post.
BianLian has been rising popularity since it was first outed in mid-July, according to researchers at Cyble Research Labs, which published details on the ransomware last month.
The BianLian Ransomware Attack Flow
To begin its attacks, the ransomware gang leverages the access gained through the ProxyShell vulnerabilities to install a Web shell or ngrok payload for monitoring activities. The group has been taking care to avoid detection and minimize observable events as it hunts for data and identifies machines to encrypt, researchers said.
In a campaign observed by Redacted, once in, BianLian most often utilized standard “living off the land” (LoL) techniques for network profiling and lateral movement, the report noted. These included net.exe to add and/or modify user permissions; netsh.exe to configure host firewall policies; and reg.exe to adjust various registry settings related to remote desktop and security policy enforcement.
In addition to leveraging the LoL techniques, the group is also known to deploy a custom implant as an alternative means to maintain persistent network access. The main objective of this “simple but effective” backdoor is to retrieve arbitrary payloads from a remote server, load them into memory, and then execute them.
“BianLian have shown themselves to be adept with the methodology to move laterally, adjusting their operations based on the capabilities and defenses they encountered in the network,” the report stated.
BianLian, like other new cross-platform ransomware such as Agenda, Monster, and RedAlert, is also able to start servers in Windows Safe Mode to execute its file-encrypting malware while remaining undetected by security solutions installed on the system. Other measures taken to circumvent security barriers include deleting snapshots, purging backups, and running its Golang encryption module via Windows Remote Management (WinRM) and PowerShell scripts.
The group’s emergence adds to the growing number of threats using Go as a base language, allowing adversaries to make quick changes in a single code base that can then be compiled for multiple platforms.
Ransomware Runs Wild
Acronis’ mid-year cyber-threats report found that ransomware continues to be the top threat to large and midsize businesses, including government organizations, while research from Sophos indicates ransomware gangs may be working in concert to orchestrate multiple attacks.
Further complicating the security landscape is the emergence of data marketplaces that make it easier for threat actors to find and use data exfiltrated during ransomware attacks in follow-up attacks.
Despite the growing risk level and sophistication of ransomware attacks, ransomware coverage is lacking even among businesses with cyber insurance, according to a BlackBerry survey.
The Redacted advisory recommended using a layered approach when trying to mitigate the threat posed by ransomware actors.
“Focus needs to be placed on reducing your attack surface to avoid the most common types of exploitation techniques, but also preparing to act quickly and effectively when a compromise inevitably happens,” the report said.
The foundation of this strategy includes multifactor authentication (MFA), secure backups, and an incident response plan.