'Ransomware in focus' is our new series unravelling the complexities of ransomware groups throughout the ecosystem. By detailing their business strategies, target victims, and the tactics, techniques, and procedures (TTPs) behind their operations, we hope to arm businesses with essential knowledge required to confront and overcome the challenges posed by ransomware. In this instalment, Lena Krummeich examines the operations of BianLian.
Background
BianLian operates as a Ransomware-as-a-Service model and was first observed in July 2022. Named after the Chinese art of “face changing”, BianLian is known for its adaptability and evolving tactics. Originally identified as a banking trojan targeting Android devices, the group has evolved first into a ransomware group employing double-extortion tactics, and most recently into a data exfiltration-only operation. So far little is known about the origins of the affiliates and the internal constellation.
Motivation
BianLian is a financially motivated group that targets various sectors opportunistically, with a primary focus on sectors that handle sensitive information, such as healthcare and legal services. BianLian seeks to exfiltrate sensitive information from a target and monetise through extortion.
Business model
The threat actor acts as Ransomware-as-a-Service (RaaS) model. RaaS is a business model where affiliates pay to ‘rent’ ransomware developed by operators, enabling affiliates with limited skills or time to launch attacks quickly and affordably. The threat actor's leak site includes an advertisement for affiliates, indicating the group is seeking to expand its operations. Specifically, the advertisement highlights opportunities for initial access brokers, software engineers, pentesters and journalists.
Group affiliations
Overlaps in tactics, techniques and procedures (TTPs) and shared resources suggest potential affiliate crossover between BianLian and the WhiteRabbit, Mario and Makop ransomware groups, as well as the RansomHouse extortion group. While the exact degree of overlap between BianLian and the WhiteRabbit and Mario ransomware groups remains unclear, evidence suggests likely affiliate crossover. This assessment is based on the identification of contact email (swikipedia@onionmail[.]org) within ransom notes associated with both BianLian and a joint WhiteRabbit/Mario ransomware campaign targeting financial services organisations in Singapore.
Connections between the BianLian and RansomHouse group were identified when nearly identical data leaks associated with an Italian victim appeared on the BianLian and RansomHouse leak sites within approximately one month of each other during Fall 2023. RansomHouse, a data-extortion group, the WhiteRabbit and Mario ransomware groups through overlapping communication contacts in ransom notes as well as references to one another in communication portals such as RansomHouse's Telegram Channel. The degree of overlap between the two groups is unclear, as affiliates often work for multiple ransomware organisations at one time and share Initial Access Brokers (IABs).
Additionally, overlaps in TTPs have been observed in BianLian and Makop ransomware campaigns. Notably, both groups use othe same custom exfiltration tool. Additional research has identified that the groups share the same hash for an Advanced Port Scanner tool. These findings suggest commonality in toolsets, or reliance on services from the same developers.
Victimology
Since June 2022 BianLian has primarily attacked small to medium sized companies, the majority of which are headquartered in the US. The group has targeted numerous sectors, including critical infrastructure organisations, and notably, does not abstain from attacks against charities like other ransomware organisations. BianLian appears to target sectors that maintain collections of sensitive data and those which are likely to have a lower tolerance for data leaks.
91%
The majority of BianLian victims were small-medium sized businesses (businesses with fewer than 1,000 employees).
Companies targeted in the last 90 days, by country
Figure 1. Source: ecrime.ch
Notable Attacks
- On 15 October 2024, BianLian claimed responsibility for an attack on Boston Children’s Health Physicians, a network of specialists affiliated with Boston Children’s Hospital. The group threatened to expose sensitive information associated with employees, patients and guarantors of the organisation. At the time of writing, no sensitive information has been posted to the leak site.
- In September 2023, the group gained widespread attention for attacking global charity organisation Save the Children. The attack exposed nearly 7 TB of data, including sensitive information associated with global employees and children.
Companies targeted in last 90 days, by sector
Figure 2. Source: ecrime.ch
*Data based on victims posted to the actor's leak site, and thus unlikely to be comprehensive of all victims.
Tactics, Techniques & Procedures (TTPs)
Initial access
BianLian has been observed using exposed remote services such as Remote Desktop Protocol (RDP) credentials to gain initial access. These credentials are believed to originate from phishing attacks and initial access brokers. The group also exploited the following ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) to infiltrate networks.
Propagation
BianLian uses a backdoor customised for each particular victim, which is written in the Go language. The tool allows long-term access and control, activity monitoring, and command execution on the victim’s network. The tool appeared under the name def[.]exe. Furthermore, BianLian is known for using legitimate tools and processes which are native to the victim’s network environment during attacks, a technique typically described as ‘Living off the Land’. This technique enables the group to move laterally with a low likelihood of being detected.
Encryption
After a public decryption tool was released in January 2023, BianLian shifted from encryption to exfiltration-only practices. Their encryption tool as known for being particularly rapid, taking between seconds and minutes to encrypt targeted systems. Furthermore, the encryptor worked selectively, only targeting sensitive files, such as financial data and personal information. Once encryption was complete, the ransomware automatically deleted itself, complicating analysis efforts by security researchers.
Exfiltration
Originally applying a double-extortion model, since January 2023 BianLian has employed an exfiltration-only extortion strategy, stealing sensitive data and threatening to release data on their leak site in absence of payment. The group has a track record of promptly posting victims’ names and data on their leak site. Specifically, the group has been observed employing a ‘hang-man’ technique of naming victims, slowly revealing more and more letters of the client’s name on the leak site ahead of imposed deadlines. During negotiations, the group has been observed employing pressure tactics such as printing additional ransom notes within the affected networks and making phone calls to employees of compromised companies in pursuit of payment.
Fig. 2. Ransom Note of BianLian (Source: Any.run)
Edited by Melissa DeOrio, Global Cyber Threat Intelligence Lead.
