The Cybersecurity and Infrastructure Security Agency (CISA) has issued a joint Cybersecurity Advisory from government agencies in the United States and Australia, alerting organizations about the latest tactics, methods, and procedures (TTPs) utilized by the BianLian ransomware group.
BianLian is a ransomware and data extortion gang that has been attacking vital infrastructure in the United States and Australia since June 2022.
The advice, which is part of the #StopRansomware effort, is based on FBI and Australian Cyber Security Centre (ACSC) investigations as of March 2023. Its goal is to provide information to defenders that will help them to alter defenses and boost their security posture against BianLian ransomware and other similar threats.
BianLian used a double-extortion technique at first, encrypting systems after collecting private data from victim networks and then threatening to leak the contents. However, after Avast produced a decryptor for the ransomware in January 2023, the organization shifted to extortion based on data theft rather than encrypting systems.
This strategy remains appealing since the occurrences are essentially data breaches that result in reputation damage for the victim, impair customer trust, and present legal issues. According to CISA, BianLian compromises systems by exploiting genuine Remote Desktop Protocol (RDP) credentials obtained through first-access brokers or through phishing.
BianLian then conducts network reconnaissance using a tailored backdoor built in Go, commercial remote access tools, and command-line and scripts. Exfiltrating victim data via the File Transfer Protocol (FTP), the Rclone tool, or the Mega file hosting service is the final stage.
BianLian uses PowerShell and the Windows Command Shell to stop running processes connected with antivirus technologies in order to avoid identification by security software. The Windows Registry is also tampered with in order to defeat the tamper protection provided by Sophos security solutions.
Limiting the use of RDP and other remote desktop services, prohibiting command-line and scripting activities, and restricting the use of PowerShell on important systems are among the proposed mitigations. The alert suggests the following methods to help defend the network:
- Audit and control the execution of remote access tools and software on your network.
- Restrict usage of remote desktop services like RDP and enforce stringent security measures.
- Limit PowerShell use, update to the latest version, and enable enhanced logging.
- Regularly audit administrative accounts and employ the principle of least privilege.
- Develop a recovery plan with multiple copies of data stored securely and offline.
- Adhere to NIST standards for password management, including length, storage, reuse, and multi-factor authentication.
- Regularly update software and firmware, segment networks for improved security, and actively monitor network activity.
"FBI, CISA, and ACSC encourage critical infrastructure organizations and small- and medium-sized organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of BianLian and other ransomware incidents," as per CISA.
The full bulletins from CISA and the ACSC contain more specific information on the recommended mitigations, indications of compromise (IoCs), command traces, and BianLian approaches.