Table of Contents
March 15, 2025
|10m
BianLian, The Shape-Shifting Ransomware Group
BianLian is a sophisticated ransomware group that has rapidly evolved since its emergence, earning its name from the traditional Chinese art of "face-changing," symbolizing its agile adaptation and rapid evolution in the cyber threat landscape. First observed as an Android banking trojan in 2019, BianLian transitioned to ransomware operations, with its ransomware variant first identified in July 2022. The group operates globally, targeting a wide array of sectors and employing a constantly evolving set of tactics, techniques, and procedures (TTPs) to maximize its impact and financial gain. This profile provides a deep dive into BianLian's origins, evolution, TTPs, target sectors, attack campaigns, and, most importantly, defensive strategies to help security professionals combat this persistent threat. BianLian has shifted from double extortion to a sole focus on data exfiltration. The group is currently ranked as a top 3 threat by victim postings.
Origins & Evolution
BianLian's journey began as an Android banking trojan in 2019, targeting individual users. However, the group underwent a significant transformation, shifting its focus to ransomware operations targeting organizations. The BianLian ransomware variant was first observed in the wild in July 2022. This marked the group's entry into the increasingly crowded ransomware-as-a-service (RaaS) landscape.
The group's name, "BianLian," is derived from a traditional Chinese dramatic art form where performers rapidly change masks, symbolizing the group's adaptability and ever-changing tactics. This "shape-shifting" capability has been a defining characteristic of BianLian's evolution.
Initially, BianLian employed a double-extortion model, encrypting victims' files and exfiltrating sensitive data, threatening to release it publicly if the ransom was not paid. However, in January 2023, Avast released a free decryptor for the BianLian ransomware. This event served as a catalyst for a significant strategic shift. BianLian responded by pivoting primarily to data exfiltration and extortion without encryption. By January 2024, they exclusively use data-exfiltration.
Cybersecurity agencies including FBI, CISA, and ASD's ACSC, believe that BianLian is likely based in Russia, with multiple Russia-based affiliates, despite the group's efforts to complicate attribution using foreign language names.
Researchers at Unit42 have also identified potential connections between BianLian and the Makop ransomware group, noting shared tools and TTPs, particularly a customized .NET tool used for file enumeration and data exfiltration. This suggests potential collaboration, shared resources, or a common service provider within the underground cybercrime ecosystem.
Tactics & Techniques
BianLian employs a multi-stage attack methodology, characterized by its adaptability and use of both custom and readily available tools. The group's operations can be broken down into the following key stages:
Initial Access: BianLian leverages several methods to gain initial access to victim networks:
Compromised RDP Credentials: Often acquired from initial access brokers or through phishing campaigns, exposed Remote Desktop Protocol (RDP) credentials remain a common entry point.
Phishing: Spear-phishing emails with malicious attachments or links are used to trick users into executing malware or providing credentials. See different types of phishing attacks.
Exploitation of Public-Facing Applications: (NEW, Nov 2024) BianLian has been observed targeting public-facing Windows and ESXi applications, potentially exploiting the ProxyShell exploit chain (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) and SonicWall VPN vulnerabilities.
Execution: Once inside the network, BianLian executes various commands and scripts:
Command and Scripting Interpreter: Uses PowerShell and the Windows Command Shell (cmd) extensively for various tasks, including disabling security tools, gathering information, and executing payloads.
Scheduled Tasks: Creates scheduled tasks to maintain persistence and execute malicious code at specific intervals.
Persistence: BianLian employs several techniques to maintain a foothold in the compromised network:
Account Manipulation: Enabling local administrator accounts, creating new local accounts, and adding user accounts to the local Remote Desktop Users group.
Creating Domain and Azure AD accounts: (NEW, Nov 2024) Creating multiple domain admin accounts and Azure AD accounts for persistence and lateral movements.
Webshells:(NEW, Nov 2024) Installing webshells for persistence on a victim’s Exchange server.
Modifying Firewall Rules: Adjusting firewall rules to allow RDP traffic and facilitate lateral movement.
Privilege Escalation:
(NEW, Nov 2024) Exploiting CVE-2022-37969 (Windows 10/11 vulnerability) for privilege escalation.
Exploiting the Netlogon vulnerability (CVE-2020-1472) has also been observed.
Defense Evasion: BianLian actively attempts to evade detection and security measures:
Disabling Antivirus: Uses PowerShell and cmd to disable Windows Defender and the Antimalware Scan Interface (AMSI).
Modifying Registry: Modifying the Windows Registry to disable tamper protection for Sophos services.
Masquerading: (NEW, Nov 2024) Renaming binaries and scheduled tasks to mimic legitimate Windows services or security products.
Packing Executables: (NEW, Nov 2024) Using UPX packer to conceal code and bypass signature-based detection.
Credential Access: BianLian employs several techniques to steal credentials:
OS Credential Dumping: Harvesting credentials from LSASS memory using cmd.exe.
Accessing NTDS.dit: Attempting to access the Active Directory domain database (NTDS.dit) using tools like secretsdump.py from the Impacket framework.
RDP Recognizer: Potentially using RDP Recognizer for brute-forcing RDP credentials.
SessionGopher: (NEW, Nov 2024) Using SessionGopher, likely to extract session information for remote access tools (RATs).
Discovery: BianLian gathers information about the compromised network and its resources:
Network Service Discovery: Using tools like Advanced Port Scanner and SoftPerfect Network Scanner.
Network Share Discovery: Employing tools like SharpShares.
Domain Reconnaissance: Using PingCastle.
Native Windows Tools: Leveraging native Windows tools and cmd to query users, domain controllers, groups, network devices, and more.
PowerShell Scripts: (NEW, Nov 2024) Using PowerShell scripts to list all running processes, software installed, and local drives.
Lateral Movement: BianLian moves laterally within the network to access additional systems and data:
Valid Accounts: Using compromised or stolen credentials with PsExec and RDP.
SMB Connections: (NEW, Nov 2024) Establishing network login type 3 connections to systems via SMB.
Collection:
Malware (system.exe) to enumerate registry values and files and copy clipboard data.
(NEW, Nov 2024) PowerShell scripts to compress and/or encrypt data collected prior to exfiltration.
Command and Control (C2): BianLian uses various methods for C2 communication:
Custom Backdoor: A custom backdoor written in Go, specific to each victim, was initially used. Go language allows cross-platform capabilities, targetting Windows, Linux, and macOS systems.
Remote Management Tools: Utilizing legitimate remote management and access software like TeamViewer, Atera Agent, SplashTop, and AnyDesk.
Ngrok and Rsocks: (NEW, Nov 2024) May be using Ngrok and/or a modified version of the open-source Rsocks utility.
Exfiltration: BianLian exfiltrates stolen data using several methods:
FTP: File Transfer Protocol is a common exfiltration method.
Rclone: Using Rclone to synchronize files with cloud storage services.
Mega: Utilizing the Mega file-sharing service.
Impact
Threat of releasing data and facing financial and legal ramification if ransom is not paid.
Printing ransom notes on compromised network printers.
Threatening phone calls to employees of victim companies.
Targets or Victimology
BianLian has demonstrated a broad targeting strategy, impacting various sectors and geographic regions.
Political Motivations: Primarily financial gain, though the targeting of critical infrastructure suggests potential secondary motivations related to disruption and espionage.
Potential Impact: Data breaches, operational disruption, financial losses, reputational damage, and potential legal and regulatory consequences.
Targeted Industries:
United States: Primarily critical infrastructure sectors (since June 2022), including healthcare, manufacturing, legal services, and engineering.
Australia: Predominantly private enterprises, with at least one critical infrastructure organization.
Global: Also targets Financial Institutions, Government, Professional Services, Media & Entertainment, Education, and Law firms opportunistically.
Geographic Focus: While BianLian operates globally, there's a higher concentration of attacks in North America (especially the United States) and Europe (United Kingdom and Canada). Recent activity indicates increasing targeting in India and other regions.
Attack Campaigns
BianLian has been linked to several high-profile attacks, showcasing its evolving tactics and impact:
Mid-2022 to Mid-2023: BianLian actively posted victims on its leak site, peaking around May 2023.
Post-May 2023: A decline in victim postings was observed, attributed to the release of a decryptor, improved defenses, and increased law enforcement attention.
Early 2024 Resurgence: BianLian experienced a resurgence in early 2024, particularly in February, with a renewed focus on Legal Services, Healthcare, and Engineering.
Boston Children's Health Physicians (BCHP) - September 2024: Compromised via a third-party IT vendor, leading to the exfiltration of patient and employee PII.
Affiliated Dermatologists (AD) - March 2024: Affected 373,379 individuals, compromising PII and medical information.
Texas Retina Associates - April 2024: Impacted 312,867 patients, with PII, medical record numbers, and health insurance information compromised.
Australian Mining Company Northern Minerals, June 2024: A confirmed attack by the group.
Murfreesboro Medical Clinic, Evergreen Seamless Pipes & Tubes, Ella Insurance Brokerage: and some unknown victims.
February 25, 2025: (Scam) BianLian impersonation through physical letters sent to US Healthcare Executives.
Defenses
Combating BianLian requires a multi-layered defense strategy, focusing on proactive measures, robust detection capabilities, and incident response preparedness. Key defense strategies include:
Remote Access Security:
Audit, limit, and secure remote access tools (RDP, VPNs, VDIs).
Implement MFA for all remote access.
Monitor and log all remote access connections.
Application Control: Implement application allowlisting to prevent the execution of unauthorized software.
PowerShell Security:
Restrict PowerShell usage to authorized administrators.
Update PowerShell to the latest version.
Enable enhanced PowerShell logging.
Account Management:
Audit user accounts and permissions regularly.
Enforce the principle of least privilege.
Implement time-based access (JIT - Just-In-Time) where appropriate.
Backup and Recovery: Maintain offline, immutable, and encrypted backups of critical data. Regularly test the restoration process.
Password Policies:
Enforce strong, unique passwords.
Implement multi-factor authentication (MFA) wherever possible.
Patch Management: Implement a timely patching process to address known vulnerabilities, especially in public-facing applications.
Network Segmentation: Segment the network to limit the lateral movement of attackers.
Monitoring and Detection:
Implement network monitoring tools and Endpoint Detection and Response (EDR) solutions.
Monitor for unusual network traffic patterns and suspicious activity. You can start with Datadog.
Antivirus: Install and regularly update antivirus software on all endpoints.
Disable Unused Ports and Protocols
Email Security: Use banners for external emails, email filtering, and advanced threat protection. Consider using SPF record.
Cybersecurity Training: Provide cybersecurity awareness, and phishing identification training.
Cyber Threat Intelligence (CTI): Detect or prevent an incident before the risk has increased.
Attack Surface Management (ASM): be aware of the current risks in their IT infrastructure
Validate Security Controls:
Incident Response Plan: Develop and regularly test an incident response plan to minimize damage in case of a breach. Knowing incident response lifecycle is important.
Conclusion
BianLian represents a significant and evolving threat in the ransomware landscape. Its adaptability, demonstrated by the shift from double extortion to data exfiltration-only tactics, underscores the need for organizations to remain vigilant and proactive in their defenses. The group's targeting of critical infrastructure and various sectors highlights the potential for widespread disruption and significant financial and reputational damage. By understanding BianLian's origins, TTPs, and target profile, and by implementing robust, multi-layered security measures, organizations can significantly reduce their risk of falling victim to this shape-shifting extortionist group. Continuous monitoring, threat intelligence, and a strong security posture are essential to staying ahead of this persistent and evolving threat. A SIEM solution can help with this. It is important to understand Splunk architecture. Managing apps in Splunk is also helpful. A vulnerability assessment is also important.
Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this.
You may also like these articles:
• Ransomware Payments Drop 35% in 2024 as Law Enforcement Disrupts Cybercrime
• What is Red Team? How Red Teaming is Different Than Penetration Testing?
• Breaking Down the Latest January 2024 Patch Tuesday Report
• What Are The Different Types Of Phishing Attacks?
• Top 10 Common Vectors Of Cyberattacks
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
- March 15, 2025
- March 15, 2025
- March 15, 2025
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- March 15, 2025
- March 15, 2025
- March 15, 2025
