The FBI has issued a new advisory revealing that the notorious BianLian ransomware group is likely based in Russia, with multiple Russian affiliates. The group, previously known for its ransomware attacks on organizations such as Save The Children and Boston Children’s Health Physicians, has recently shifted tactics. Instead of relying on traditional ransomware encryption, BianLian now focuses exclusively on exfiltrating data from victims and extorting them for ransom. This shift began in January 2024, marking a significant change in their operations and strategy.
The FBI and the Australian Cyber Security Centre have observed BianLian exploiting critical vulnerabilities in public-facing applications, particularly within Windows and ESXi infrastructure. Notably, the group has leveraged the ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) to gain initial access. They have also exploited CVE-2022-37969, a vulnerability affecting Windows 10 and 11, further expanding their reach. This shift in their approach indicates a growing sophistication in their tactics, as they adapt to avoid detection and improve the success of their extortion schemes.
To maintain access and navigate through compromised systems, BianLian has been observed creating multiple administrator accounts within victim networks. The group has also ramped up its psychological pressure on victims, printing ransom notes on company printers and even contacting employees directly. These tactics are designed to increase fear and urgency, pushing victims to pay the ransom. The ransom notes now threaten to leak sensitive exfiltrated data if the demands are not met, increasing the stakes for affected organizations.
In response to the group’s evolving tactics, the FBI has advised organizations to bolster their defenses and stay vigilant. The BianLian ransomware group’s shift from encryption-based attacks to data exfiltration and extortion marks a new phase in the ransomware landscape. With their ability to target critical vulnerabilities and apply mounting pressure on victims, BianLian is emerging as a major threat to both private and public sector entities. This highlights the urgent need for improved cybersecurity measures and collaboration across international law enforcement to combat the growing threat of ransomware.
Reference:
