Cybercrime as-a-service , Fraud Management & Cybercrime , Healthcare
Feds Warn of New BianLian Ransomware Group Attack Profile
Russian Data Exfiltration Extortion Gang Keeps Fine-Tuning its TacticsRussian-based cybercrime gang BianLian has continued to thrive since shifting from using double extortion strategies to primarily data theft last year. BianLian is the third most active ransomware gang with a penchant for healthcare, and authorities are warning that the group has adopted new techniques, tactics and procedures.
See Also: How Overreliance on EDR is Failing Healthcare Providers
The FBI, Cybersecurity Infrastructure and Security Agency - along with the Australian Signals Directorate's Australian Cyber Security Centre - in an updated advisory Wednesday said BianLian is now trying to confuse investigators' attempts to attribute the gang's attacks - a trick that some other ransomware groups have also tried, the updated advisory said.
"BianLian is a ransomware developer, deployer and data extortion cybercriminal group, likely based in Russia, with multiple Russia-based affiliates."
But BianLian seeks "to misattribute location and nationality by choosing foreign-language names, almost certainly to complicate attribution efforts," the alert said.
The warning this week from U.S. and Australian authorities updates a joint advisory issued in May 2023 when BianLian was observed shifting away from double extortion assaults on victims that involved ransomware encryption and data theft to solely focus on exfiltration attacks (see: BianLian Skips Encryption on Way to Extortion).
Based on more recent observations about BianLian's evolving tactics, the updated alert urges critical infrastructure organizations to take several critical actions. That includes strictly limiting the use of remote desk protocol and other remote desktop services; disabling command-line and scripting activities and permissions; restricting the usage of PowerShell; and updating Windows PowerShell or PowerShell Core to the latest versions.
Evolving TTPs
The updated alert also provides a list of new characteristics emerging from recent BianLian attacks.
For initial access, BianLian enters victim systems through valid RDP credentials, using open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrating victim data via File Transfer Protocol, Rclone or Mega, the advisory said.
"BianLian group actors target public-facing applications of both Windows and ESXi infrastructure, possibly leveraging the ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE 2021-31207) exploit chain to gain initial access," the update said.
Other new details on BianLian's evolving TTPs include:
- Command and control: The use of the reverse proxy tool Ngrok and/or a modified version of the open-source Rsocks utility. "The group may have used external proxy Rsocks to establish SOCKS5 network tunnels from victim networks and to mask the destination of C2 traffic."
- Privilege escalation: Exploitation of vulnerability CVE-2022-37969, which affects Windows 10 and 11 systems, to escalate privileges.
- Defense evasion: Renaming binaries and scheduled tasks after legitimate Windows services or security products. "BianLian group actors may pack executables using UPX to conceal their code in an attempt to bypass heuristic and signature-based detection methods."
- Discovery: Using PowerShell scripts to list all running processes, software installed, and local drives.
- Credential access: Use of SessionGopher, likely to extract session information for remote access tools.
- Persistence and lateral movement: In some instances, investigators have found that BianLian group actors established network login type 3 connections to systems via Server Message Block. Also, BianLian group actors have created accounts and used them for lateral movement and persistence. "In one confirmed compromise, BianLian actors created multiple domain admin accounts for use in lateral movement to the domain controller. In the same compromise, the actors also created multiple Azure AD accounts to maintain access to the victim system."
- Exfiltration and impact: Updated extortion notes and pressure for victims to pay the group to not leak exfiltrated data, including the gang printing ransom notes on the victims' compromised networked printers and making threatening phone calls to individual employees.
BianLian, during the first nine months of 2024, was among the top three most active ransomware groups targeting the healthcare industry, behind LockBit and RansomHub, said Grayson North, senior security consultant at security firm GuidePoint.
"BianLian is attributable for 9% of the total healthcare victims year-to-date, and has historically disproportionately impacted healthcare and manufacturing organizations, potentially based on the belief that those in this vertical are more likely to pay a ransom," he said.
The American Hospital Association, in its own advisory on Thursday based on the updated FBI/CISA/ACSC alert, also warned its members and other healthcare sector entities that BianLian has been "one most active groups over the last several years."
BianLian's dark web site lists dozens of recent victims across many industries, including many in the healthcare sector.
Last month the gang listed Boston Children's Health Physicians, a pediatric group that practices in New York and Connecticut, on its dark web site, threatening to release stolen patient and employee data.
The pediatric practice said data had been compromised in a September incident involving an IT vendor (see: BianLian Ransomware Gang Claims Heist on Pediatric Data).
But as of Friday, BCHP was no longer listed on BianLian's dark web site. BCHP did not immediately respond to Information Security Media Group's request for comment on whether the practice had paid a ransom to the gang.