BianLian, a ransomware operation that emerged ransoming encrypted data in July 2022, is evolving its tactics. The gang now simply exfiltrates data without encryption and then extorts the organization, promising that after BianLian is paid, it will not leak the stolen data or disclose that the organization has suffered a breach. The strategy shift follows Avast’s January 2023 release of a free decryptor that helps recover files encrypted by the BianLian ransomware.
To heighten pressure on its victims, BianLian posts partially masked data and company identifiers on its leak site. It also tailors messages to the target organization, mentioning specific legal and regulatory issues — sometimes even specific subsections of laws and statutes — that would be a problem for the organization if the breach became public.
The group brings close to 30 new command and control (C2) servers online each month, claiming 118 successful attacks as of mid-March. Notable attacks include the Madrid-based Parques Reunidos, one of the world’s largest theme park operators, and a cardiac arrest center in California. At 14 percent, the healthcare industry has experienced the most BianLian attacks; 71 percent of BianLian’s victims are in the U.S., with others scattered around the world.
Rapid response
As a real-life example of an effective response, here’s how Parques Reunidos responded to immediately contain the damage and to prevent further unauthorized access:
- Appointed forensic specialists and cybersecurity experts to investigate the incident and reinforce data security
- Shut down affected systems, blocked users with affected information systems, blocked remote access connections (VPN)
- Temporarily isolated the data center, blocking all users’ passwords for accessing information systems
- Tightened access controls for certain user groups, expanding its collection sources for ingesting log events, as well as raising cybersecurity awareness among its employees
- Notified the Spanish Data Protection Authority (AEPD) and cooperated with the authorities
Impact
As we reported in October, BianLian creates its own custom toolkit in Go. The group typically brings a C2 server online before deploying a custom backdoor for remote access — sometimes within minutes. Tight coupling of the infrastructure and malware deployment means the group may have already established a foothold in the victim’s network by the time a BianLian C2 is discovered.
DXC perspective
DXC has been monitoring BianLian target activity since July 2022. We urge organizations to secure their infrastructure and maintain a robust cyber defense program to protect from ransomware attacks of all kinds.