CISA, FBI, issues advisory on BianLian ransomware group
As part of the #StopRansomware campaign, the U.S. and Australian governments, as well as the Cybersecurity and Infrastructure Security Agency (CISA), the FBI and Australian Cyber Security Centre (ACSC) have issued a cybersecurity alert warning that BianLian ransomware has switched to extortion only attacks.
BianLian has been targeting critical infrastructure companies in the US and Australia since June 2022. They gain unauthorized access to computers using legitimate Remote Desktop Protocol (RDP) credentials and open-source credential harvesting tools. In 2023, BianLian’s methods have become more threatening, with the intention of causing financial, legal, and operational harm if victims don’t comply with their ransom demands.
Earlier this year, BianLian’s dark website disclosed a list of 118 previous targets, with the healthcare industry being the most frequent victim. The majority of targets (71%) were located in the US, followed by 11% in the UK and 7% in Australia.
The BianLian group engages in extortion by holding victim data hostage and threatening to release it unless a ransom is paid. Previously, they used a double-extortion approach, encrypting systems and stealing sensitive data. However, starting around January 2023, they shifted their focus to exfiltration-based extortion.
The advisory emphasizes that the threat actors behind BianLian commonly use PowerShell and Windows Command Shell to disable antivirus tools and avoid detection. Once they gain access to a compromised network, they employ PowerShell scripts to search for and steal valuable files. To mitigate these risks, it is recommended to limit the use of Remote Desktop Protocol (RDP) and other remote desktop services. Organizations should implement strict security measures and restrict command-line and scripting activities, including PowerShell, on critical systems. Updating PowerShell to the latest version and enabling enhanced logging for improved visibility are also crucial steps to take.
The advisory further suggests conducting audits to monitor and control the execution of remote access tools and software within the network. Implementation of strong security measures and restrictions on the usage of remote desktop services, such as RDP, are essential. Regular audits of administrative accounts and adhering to the principle of least privilege are also vital steps to enhance security.
The sources for this piece include an article in BleepingComputer.