#StopRansomware: Highlights BianLian Ransomware

Category: Ransomware News | Industry: Critical Infrastructure | Source: CISA

The latest #StopRansomware advisory highlights the activities of the BianLian ransomware gang. The advisory is a result of collaborative intelligence efforts between US agencies, including the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA), as well as the Australian Cyber Security Centre (ACSC). Intelligence gathered up to March 2023, from these agencies has shed light on the operations and tactics of the identified BianLian ransomware gang. The ransomware group is found to have a particular interest in targeting critical infrastructure organizations of all sizes. Notably, their tactics shifted in January 2023, from double-extortion with ransomware encryption to "exfiltration-based extortion with victims’ systems left intact, and ACSC observed BianLian shift exclusively to exfiltration-based extortion." said CISA. BianLian is focused on extorting its victims with the threat of compromised data getting leaked.

A variety of TTPs were uncovered by federal agencies. BianLian employs the typical methods needed to obtain initial access like phishing and RDP through compromised accounts often purchased from initial access brokers. For persistence and command and control, the operators drop custom implants, remote access software, and create new administrator accounts. Living-off-the-land binaries (LOLBins) like Windows Command Shell and PowerShell are crucial to disable monitoring and security services. Native Windows commands are used to enumerate the system and active directory, although several reconnaissance tools like Advanced Port Scanner, SoftPerfect Network Scanner, and others aid with discovery efforts. Credentials were harvested from LSASS, an Impacket script - secretsdump.py, along with copying the Active Directory domain database, NTDS.dat. For lateral movement, PsExec and RDP accounts are used to spread through the victim's network. Firewall rules were observed to be created to enable RDP if disabled and the threat actors demonstrated the ability to abuse the ZeroLogon vulnerability, CVE-2020-1472.

Once threat actors have identified and collected relevant data, tools like Rclone, FTP, and Mega are used to exfiltrate the victim's data. Ransom notes left on the victim’s workstations provide them with communication methods to contact BianLian for ransom negotiation. CISA reports, "BianLian group engages in additional techniques to pressure the victim into paying the ransom; for example, printing the ransom note to printers on the compromised network. Employees of victim companies also reported receiving threatening telephone calls from individuals associated with BianLian group."

Anvilogic Scenario:

• RDP Tampers with System Config & Data Exfiltration

Anvilogic Use Cases:

• Remote Access Software Execution
• ZeroLogon CVE-2020-1472
• Common LSASS Memory Dump Behavior

‍