Advisory regarding emerging BianLian Ransomware Group

The United States FBI, CISA, and Australian Cyber Security Centre (ACSC) release a joint Cybersecurity Advisory to warn about the emerging BianLian ransomware and data extortion group

BianLian is a ransomware developer, deployer, and data extortion cybercriminal group, emerging since June 2022, and targeting the U.S. and Australian critical infrastructure sectors, in addition to professional services and property development.

The group makes use of open-source tools and command-line scripting to discover and harvest credentials, that are then used to access the victims' systems through Remote Desktop Protocol (RDP). Once entered the network data is exfiltrated via File Transfer Protocol (FTP), Rclone, or Mega.

When gathered a sufficient volume of data, or sensitive documents, the BianLian group actors then extort money by threatening to release the data if payment is not made.

The BianLian group originally executed a double-extortion model, consisting in data exfiltration, followed by data encryption. Since January 2023, the group shifted its action to primarily exfiltration-based extortion.

FBI, CISA, and ACSC encourage critical infrastructure organizations and small- and medium-sized organizations to implement the recommendations in the Mitigations section of the advisory to reduce the likelihood and impact of BianLian and other ransomware incidents.

The advisory provides the IOCs obtained from FBI investigations, and references the MITRE ATT&CK® for Enterprise framework to describe the tactics and techniques adopted by the extortion group.

Link to the BianLian Ransomware advisory