A new ransomware group operating under the name BianLian emerged in late 2021 and has become increasingly active since.
The threat actor already has twenty alleged victims across several industries (insurance, medicine, law and engineering), according to a research paper from US cybersecurity firm Redacted, published on September 1, 2022.
The majority of the victim organizations have been based in Australia, North America and the UK.
The research team has given no attribution yet but believes the threat actor “represents a group of individuals who are very skilled in network penetration but are relatively new to the extortion/ransomware business.”
BianLian uses a custom toolkit, including homemade encryptors and encryption backdoors. Both, as well as the command-and-control (C&C) software the hackers use, are written in Go, an increasingly popular programming language among ransomware threat actors.
Troublingly, the Redacted team of researchers has found evidence that BianLian is likely now trying to up their game.
“Starting in August, we observed what appeared to be a somewhat troubling explosion in the rate by which BianLian was bringing new [C&C] servers online. […] While we lack the insight to know the exact cause for this sudden explosion in growth, this may signal that they are ready to increase their operational tempo, though whatever the reason, there is little good that comes from a ransomware operator having more resources available to them,” warns the advisory.
A BianLian x64 ransomware sample: eaf5e26c5e73f3db82cd07ea45e4d244ccb3ec3397ab5263a1a74add7bbcb6e2
— MalwareHunterTeam (@malwrhunterteam) August 11, 2022
So it is another Go ransomware.
😂
"jack/Projects/project1/crypt28" pic.twitter.com/5mb8GScvGO
To gain initial access into victim networks, BianLian typically targets the ProxyShell vulnerability chain (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207), unpatched SonicWall VPN devices, or servers that provide remote network access via solutions such as Remote Desktop,
“After exploitation, they deployed either a webshell or a lightweight remote access solution such as ngrok as the follow-on payload,” the research paper reads.
Once in the network, BianLian can take up to six weeks to start the encryption process.
“As BianLian would initially spread throughout a network, hunting for the most valuable data to steal and identify the most critical machines to encrypt, they appeared to take steps to minimize observable events, [using] living off the land (LOL) methodology to move laterally,” said Redacted.
This faculty to quickly adapt is another sign that BianLian members have a high skill level in network penetration.
“Even in the final hours prior to encryption, we observed the actor taking care to avoid detection, […] and aggressively work[ing] to counter endpoint detection & response (EDR) protections,” the advisory said.
Redacted recommended a layered approach to mitigating the threat posed by ransomware actors such as BianLian.