BianLian's Evolving Tactics Tracked with Connections to Makop

The consistent onslaught of BianLian's ransomware activities is revealed as a formidable threat in the cybersecurity landscape, striking key sectors in the United States, the European Union, and India. Analysis of the ransomware gang's activities is reported by Unit 42 having identified indiscriminate targeting across industry verticals with their activities placing them in Unit 42's top 10 active ransomware groups. Its most significant impact in 2023 was against organizations in healthcare, manufacturing, professional, and legal services. Unit 42 underscores the gang's capabilities, evidenced in their recent breach at St. Rose Hospital in California, where they pilfered 1.7TB of data, launching attacks with disregard for patient care and well-being. Beyond the direct implications for victim organizations, the incident raises alarms over the potential risks to patient privacy and operational integrity.

A technical examination of BianLian's arsenal reveals the familiar tactics for initial access with the use of compromised credentials to gain access through RDP or VPN. Exploitation of vulnerabilities includes the exploit of the ProxyShell vulnerability. Their strategy involves manipulating the Security Accounts Manager (SAM) to extract hashed passwords, establishing persistence through discreetly placed backdoor components, and utilizing scheduled tasks. The employment of the Advanced Port Scanner for reconnaissance further aids their understanding of the network landscape, facilitating planning for lateral movements within the compromised systems.

Furthermore, Unit 42's research draws attention to the interconnections within the ransomware ecosystem, evidenced by BianLian's shared methodologies and tools with other groups such as Makop. Specifically between BianLian and Makop, the use of a "small custom .NET tool" as well as the Advanced Port Scanner tool using the same hash is evidence of a potential connection. "A possible – yet not confirmed – explanation for this overlap is that BianLian could be sharing a codebase with the Makop group, or using the services of the same third-party developers. This phenomenon is well-known and documented among certain underground cybercrime groups," Daniel Frank from Unit 42 explains. Recruitment ads also signal an effort by the ransomware gang to expand its operations.

BianLian's operations began with the usual double extortion tactic however, the gang shifted towards a streamlined data extortion approach, bypassing the encryption of victim's data to directly threaten the release of stolen information unless a ransom is paid. This strategic pivot underscores a concerning trend towards extortion without encryption, aiming to expedite their criminal gains. This transition is also noted in advisories released by CISA, and the Australian Cyber Security Centre (ACSC).