BianLian Cybercrime Group Changes Up Extortion Methods, Warns CISA

CISA urges small and midsized organizations as well as critical infrastructure to implement mitigations immediately to shield themselves from further data exfiltration attacks.

In an advisory this week, the US Cybersecurity and Infrastructure Security Agency (CISA) alongside the Federal Bureau of Investigation (FBI) and the Australian Cyber Security Centre (ACSC) are warning organizations of attacks made by the ransomware developer and data extortion group known as BianLian.
BianLian has been active since 2022. In the past, the ransomware gang has focused on using a double-extortion model where they encrypt victims systems and steal data, threatening to release the acquired data if the payment is not received. In January though, BianLian shifted its attack methods to focus primarily on exfiltration-based extortion rather than leading with encryption, the alert warned.
The group uses stolen remote desktop protocol (RDP) credentials to access victims networks, as well as open-source tools and command-line scripting to move around the network. Then it exfiltrates data through File Transfer Protocol (FTP), Rclone, or Mega. After this is completed, the group goes on to extort its victims.
Cybersecurity service provider
[redacted] released research on the group
in March detailing its high-level operational security and skill penetration, and its continued growth while operating as a ransomware organization. Its these tactics, techniques, and procedures (TTPs) that have allowed the gang to
target critical infrastructure organizations
in the US and Australia as well as professional services and property development organizations.
More often than not, extortion via data leak is the modus operandi of choice, says Tom Kellerman, senior vice president of cyberstrategy at Contrast Security, in response to the advisory. The shift is due to the successful collaboration between law enforcement and the cyber community to not only decrypt the ransomware but to disrupt the infrastructure that sustains it.
CISA urges organizations to implement
the mitigations it has provided in the advisory
, such as auditing remote access tools, reviewing logs for execution of remote access software, and enabling enhanced PowerShell logging, in light of these attacks.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
BianLian Cybercrime Group Changes Up Extortion Methods, Warns CISA