CISA and Partners Release BianLian Ransomware Cybersecurity Advisory
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Australian Cyber Security Centre (ACSC) are releasing this joint Cybersecurity Advisory to disseminate known BianLian ransomware and data extortion group IOCs and TTPs identified through FBI and ACSC investigations as of March 2023.
BianLian is a ransomware developer, deployer, and data extortion cybercriminal group that has targeted organizations in multiple U.S. critical infrastructure sectors since June 2022. They have also targeted Australian critical infrastructure sectors in addition to professional services and property development. The group gains access to victim systems through valid Remote Desktop Protocol (RDP) credentials, uses open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrates victim data via File Transfer Protocol (FTP), Rclone, or Mega.
BianLian group actors then extort money by threatening to release data if payment is not made. BianLian group originally employed a double-extortion model in which they encrypted victims’ systems after exfiltrating the data; however, around January 2023, they shifted to primarily exfiltration-based extortion.
Initial Access
BianLian group actors gain initial access to networks by leveraging compromised Remote Desktop Protocol (RDP) credentials likely acquired from initial access brokers [T1078],[T1133] or via phishing [T1566].
Command and Control
BianLian group actors implant a custom backdoor specific to each victim written in Go (see the Indicators of Compromise Section for an example) [T1587.001] and install remote management and access software—e.g., TeamViewer, Atera Agent, SplashTop, AnyDesk—for persistence and command and control [T1105],[T1219].
FBI also observed BianLian group actors create and/or activate local administrator accounts [T1136.001] and change those account passwords [T1098].
Defense Evasion
BianLian group actors use PowerShell [T1059.001] and Windows Command Shell [T1059.003] to disable antivirus tools [T1562.001], specifically Windows defender and Anti-Malware Scan Interface (AMSI). BianLian actors modify the Windows Registry [T1112] to disable tamper protection for Sophos SAVEnabled, SEDEenabled, and SAVService services, which enables them to uninstall these services. See Appendix: Windows PowerShell and Command Shell Activity for additional information, including specific commands they have used.
| Name | SHA-256 Hash | Description |
| def.exe | 7b15f570a23a5c5ce8ff942da60834a9d0549ea3ea9f34f900a09331325df893 | Malware associated with BianLian intrusions, which is an example of a possible backdoor developed by BianLian group. |
| encryptor.exe | 1fd07b8d1728e416f897bef4f1471126f9b18ef108eb952f4b75050da22e8e43 | Example of a BianLian encryptor. |
| exp.exe | 0c1eb11de3a533689267ba075e49d93d55308525c04d6aff0d2c54d1f52f5500 | Possible NetLogon vulnerability (CVE-2020-1472) exploitation. |
| system.exe | 40126ae71b857dd22db39611c25d3d5dd0e60316b72830e930fba9baf23973ce | Enumerates registry and files. Reads clipboard data. |
We recommend that you read the full report – https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a
Blogger at www.systemtek.co.uk