BianLian Ransomware Pivots From Encryption to Pure Data-Theft Extortion

  /     /     /  
Publicated : 23/11/2024   Category : security


BianLian Ransomware Pivots From Encryption to Pure Data-Theft Extortion


The ransomware group has already claimed 116 victim organizations so far on its site, and it continues to mature as a thriving cybercriminal business, researchers said.



The BianLian ransomware group is
ramping up its operations
and maturing as a business, moving more swiftly than ever to compromise systems. Its also moving away from encryption to pure data-theft extortion tactics, in cyberattacks that have so far bagged at least 116 victims, researchers have found.
BianLian, first discovered last July, hasnt deviated much from its initial tactic: deploying a custom go-based backdoor once it infiltrates a network. The functionality of the malware essentially remains the same except for a few tweaks, researchers from
Redacted said in a blog post
published today.
However, the swiftness with which the groups command-and-control server (C2) deploys the backdoor has increased, and the group notably has moved away from ransoming encrypted files to focusing more on pure data-leak extortion as a means to extract payments from victims, the researchers said.
BianLian has discovered that they dont need to actually encrypt victim networks to get paid, Adam Flatley, vice president of intelligence at Redacted, says.
This shift to focus on data-leak extortion is extremely dangerous, because it allows the group to take the time and effort to tailor the threats to specific victims and exert more pressure to pay ransoms, he adds.
BianLian will have an even stronger pressure position on trying to force their victims to not work with the FBI, to not report the incident, and just pay the ransom and move on, Flatley says.
BianLians motivation for changing its encryption strategy is likely a response to
Avasts release of an encryption tool
for organizations that have been targets of the group to unlock their files, the researchers noted.
Given that BianLian has used double-extortion methods from the outset — threatening to release a victim organizations stolen data online if a ransom wasnt paid by a certain deadline — the group decided to skip the encryption step and
go right to extortion
, according to Redacted.
This shift is part of BianLians overall evolution and maturation as a business, the researchers said. While from its inception the group has had a high level of operational security and skill in network penetration, they now appear to be hitting their stride in terms of the actual business of running a cybercriminal extortion gang.
Indeed, moving away from the unique encryption method that it displayed in early attacks is a smart business move, Flatley says, particularly as an evasion tactic. Because data theft does not cause network nor business disruption, it calls less attention to BianLians activity, which means their operations can fly more under the radar, he says.
When
business services are disrupted
, its very hard to keep an event quiet because customers and business partners start to notice that services are down, for example, Flatley says.
Another thing the group has going for it to achieve success with this new strategy is a faster time to deploy a backdoor on a network once theyve gained initial access, the researchers said. This speed is linked to BianLians strong C2 server game, with the group bringing close to 30 new ones online each month, each with a typical lifetime of about two weeks, they said.
Once BianLian establishes a C2 connection to a victim network, it now deploys its backdoor in mere minutes — which means that by the time security administrators discover a BianLian C2, it is highly likely that the group has already established a solid foothold into a victims network, the researchers said.
While its difficult to know how many victims BianLian has compromised, as of March 9, the group has detailed 116 victim organizations on its leak site, the researchers noted. Of those victims, healthcare organizations represent the single largest industry vertical victimized by the group —
a shift from early attacks
, which focused mainly on the media and entertainment sector.
With BianLian and other ransomware groups pivoting to pure extortion tactics, enterprises must also make changes to how they defend against these attacks, the researchers said.
They will need to focus even more on techniques that can help them
avoid having to pay
the ransom in double-extortion scenarios, Flatley says.
Some of those techniques include a stronger prevention strategy against easily thwarted attacks, as well as quicker detection of unpreventable network intrusions, he says. This can be done by following best practices on passwords and multifactor authentication, aggressively
patching your systems
in a prioritized and enforced regime, and providing security training for your employees,
Flatley wrote in a blog post
on how organizations can avoid paying a ransom.
Shoring up incident response as well as having a plan ahead of an attack to prepare for ransom demands can also help organizations avoid the worst outcome of extortion-based attacks, Flatley says.
As part of the former, Flatley notes in his post that organizations should ensure that they have good system backups, that those backups are secured effectively so an attacker cant access them, and that the restoration process is fully tested to ensure it works correctly.

Last News

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
BianLian Ransomware Pivots From Encryption to Pure Data-Theft Extortion