Getty Images/iStockphoto
CISA Issues Cybersecurity Advisory Regarding BianLian Ransomware Group
BianLian ransomware group has deployed ransomware attacks against multiple critical infrastructure sectors since June 2022, CISA’s latest advisory states.
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Australian Cyber Security Centre (ACSC) released a joint cybersecurity advisory (CSA) regarding BianLian ransomware group.
The group has been observed targeting a variety of United States critical infrastructure sectors since June 2022, as well as Australian critical infrastructure sectors. BianLian typically gains access via valid Remote Desktop Protocol (RDP) credentials and uses open-source tools for credential harvesting. In 2023, BianLian has threatened negative financial, legal, and business impacts if victims refuse to pay the ransom.
“BianLian group actors then extort money by threatening to release data if payment is not made,” the advisory stated. “BianLian group originally employed a double-extortion model in which they encrypted victims’ systems after exfiltrating the data; however, around January 2023, they shifted to primarily exfiltration-based extortion.”
Specifically, BianLian threat actors have been known to use PowerShell and Windows Command Shell to disable antivirus tools. After obtaining access, BianLian uses PowerShell scripts to search for and exfiltrate sensitive files.
FBI, CISA, and ACSC encouraged small and medium-sized organizations as well as critical infrastructure entities to implement safeguards to protect against common BianLian tactics.
Organizations should focus on strictly limiting the use of RDP and other remote desktop services, restricting PowerShell use, updating Windows PowerShell or PowerShell Core to the latest version, and disabling command-line and scripting activities and permissions.
“The BianLian group, unlike most other ransomware groups, seems to rely primarily on technical exploitation of remote access tools rather than phishing emails,” said John Riggi, the American Hospital Association’s (AHA) national advisor for cybersecurity and risk.
“The BianLian group has also evolved its tactics to focus on data extortion — theft of sensitive data and threatening to publicize it unless a ransom is paid. The primary recommendations to mitigate this threat are ensuring all remote access software is strictly controlled, monitored and external access limited. As always, phishing-resistant multifactor authentication is a foundational cybersecurity practice, which should also be employed along with the other recommended mitigations contained in this alert.”