Highlights:

  • BianLian, once employing “double-extortion” attacks (encrypting and stealing data), now only steals data and threatens publication if the ransom isn’t paid.
  • BianLian employs diverse methods for initial access, including exploiting vulnerabilities like ProxyShell, utilizing stolen Remote desktop protocol credentials, and targeting virtual private network providers.

A recent report from Unit 42 by Palo Alto Networks Inc. outlines shifts in the operational tactics of the prolific BianLian ransomware group as it primarily adapts its focus to target the healthcare and manufacturing sectors in the U.S. and Europe.

BianLian surfaced around 2021 but gained notable recognition in 2022 by focusing on companies in the U.S., the U.K., and Australia through conventional ransomware tactics, including encrypting data and requesting payment in ransom. Previously utilizing encryption and data theft in “double-extortion” attacks, BianLian now just steals data and threatens to publish it if its victims do not pay the ransom.

Throughout 2023, Unit 42 researchers noted BianLian’s rise in prominence due to its strategic shift focused solely on data theft. By eliminating the encryption phase, BianLian streamlines its attack complexity while retaining influence over victims through the looming threat of data exposure.

While executing its attacks, BianLian employs a custom .NET tool designed for data extraction that is shared with the Makop ransomware group. Researchers propose a potential collaboration or resource-sharing arrangement between the groups. This tool retrieves sensitive information from compromised systems, encompassing files, registry data, and clipboard contents. Notably, the tool’s codebase includes elements in the Russian language, suggesting the group’s potential origins.

BianLian utilizes diverse methods to secure initial access, including exploiting vulnerabilities like ProxyShell, using pilfered Remote desktop protocol credentials, and targeting virtual private network providers. After gaining entry, the group employs sophisticated techniques for lateral movement and persistence, rendering their actions intricate to detect and counter.

The noteworthy aspect of the report is BianLian’s shift in emphasis towards the healthcare and manufacturing sectors. In January 2023, the group asserted that they had breached a California-based hospital, gaining access to 1.7 terabytes of data encompassing the personal information of both patients and employees. The report highlights attacks on healthcare organizations as being “especially concerning because they disrupt hospitals’ day-to-day operations and potentially endanger patients’ lives.”

It is recommended that organizations strengthen their cybersecurity posture to guard against the threat posed by ransomware groups like BianLian. Palo Alto Networks platforms like Cortex XDR and XSIAM are naturally recommended by Unit 42, but the most important thing is to take precautions against the risk. Conducting routine security assessments, providing cyber hygiene training to staff, and putting strong data backup and recovery procedures in place can all be beneficial.