Researchers Spot Snowballing BianLian Ransomware Gang Activity

The operators of the emerging cross-platform ransomware BianLian increased their command and control infrastructure this month, indicating an acceleration in their operational pace.

A new player to the ransomware space called BianLian is ramping up activity, and has already targeted organizations in Australia, North America, and the United Kingdom.
According to an advisory from cybersecurity firm Redacted, there has been a troubling rise in the rate at which BianLian is bringing new command-and-control (C&C) servers online.
The ransomware was created with Golang (Go), the Google-created open source programming language, and targets SonicWall VPN devices and the Microsoft Exchange Server
ProxyShell vulnerability chain
(CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).
While we lack the insight to know the exact cause for this sudden explosion in growth, this may signal that they are ready to increase their operational tempo, though whatever the reason, there is little good that comes from a ransomware operator having more resources available to them, the researchers noted in the
Friday post
.
BianLian has been rising popularity since it was first outed in mid-July, according to researchers at Cyble Research Labs, which
published details
on the ransomware last month.
To begin its attacks, the ransomware gang leverages the access gained through the ProxyShell vulnerabilities to install a Web shell or ngrok payload for monitoring activities. The group has been taking care to avoid detection and minimize observable events as it hunts for data and identifies machines to encrypt, researchers said.
In a campaign observed by Redacted, once in, BianLian most often utilized standard
living off the land (LoL) techniques
for network profiling and lateral movement, the report noted. These included net.exe to add and/or modify user permissions; netsh.exe to configure host firewall policies; and reg.exe to adjust various registry settings related to remote desktop and security policy enforcement.
In addition to leveraging the LoL techniques, the group is also known to deploy a custom implant as an alternative means to maintain persistent network access. The main objective of this simple but effective backdoor is to retrieve arbitrary payloads from a remote server, load them into memory, and then execute them.
BianLian have shown themselves to be adept with the methodology to move laterally, adjusting their operations based on the capabilities and defenses they encountered in the network, the report stated.
BianLian, like other
new cross-platform ransomware
such as Agenda, Monster, and RedAlert, is also able to start servers in Windows Safe Mode to execute its file-encrypting malware while remaining undetected by security solutions installed on the system. Other measures taken to circumvent security barriers include deleting snapshots, purging backups, and running its Golang encryption module via Windows Remote Management (WinRM) and PowerShell scripts.
The groups emergence adds to the growing number of threats using
Go as a base language
, allowing adversaries to make quick changes in a single code base that can then be compiled for multiple platforms.
Acronis mid-year cyber-threats report found that ransomware continues to be the
top threat
to large and midsize businesses, including government organizations, while research from Sophos
indicates
ransomware gangs may be working in concert to orchestrate multiple attacks.
Further complicating the security landscape is the emergence of data marketplaces that make it easier for threat actors to find and use data exfiltrated during ransomware attacks in
follow-up attacks
.
Despite the growing risk level and sophistication of ransomware attacks, ransomware coverage is lacking even among businesses with cyber insurance, according to a BlackBerry
survey
.
The Redacted advisory recommended using a layered approach when trying to mitigate the threat posed by ransomware actors.
Focus needs to be placed on reducing your attack surface to avoid the most common types of exploitation techniques, but also preparing to act quickly and effectively when a compromise inevitably happens, the report said.
The foundation of this strategy includes multifactor authentication (MFA), secure backups, and an incident response plan.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Researchers Spot Snowballing BianLian Ransomware Gang Activity