CISA Alert AA23-136A – #StopRansomware: BianLian Ransomware Group.

This is a CISA Cybersecurity Alert.

ID number Alpha Alpha Two Three tack One Three Six  Alpha.

Original release date May 16th, 2023.

FBI, CISA, and the Australian Cyber Security Centre are releasing this joint Cybersecurity Advisory to disseminate known BianLian ransomware and data extortion group IOCs and TTPs identified through FBI and ACSC investigations as of March 2023.

BianLian is a cybercriminal group that has targeted organizations in multiple U.S. critical infrastructure sectors since June 2022. They have also targeted Australian critical infrastructure sectors in addition to professional services and property development. The group gains access to victim systems through valid Remote Desktop Protocol, or RDP, credentials, uses open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrates victim data via File Transfer Protocol, Rclone, or Mega. 

BianLian group actors then extort money by threatening to release data if payment is not made. BianLian group originally employed a double-extortion model in which they encrypted victims’ systems after exfiltrating the data; however, around January 2023, they shifted to primarily exfiltration-based extortion.

To mitigate cyber threats from BianLian ransomware and data extortion, system administrators should strictly limit the use of RDP and other remote desktop services, disable command-line and scripting activities and permissions, and restrict usage of PowerShell and update Windows PowerShell or PowerShell Core to the latest version.

FBI, CISA, and the Australian Cyber Security Centre encourage critical infrastructure organizations and small- and medium-sized organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of BianLian and other ransomware incidents. A link to this report can be found in the show notes.

To report incidents and anomalous activity or to request incident response resources or technical assistance, contact CISA at report@cisa.gov, call (888) 282-0870, or report incidents to your local FBI field office.

This report was written by CISA, the United States Cybersecurity and Infrastructure Security Agency, and edited and adapted for audio by N2K Networks as a public service. Please visit www dot cisa dot gov to read the full report which may include additional details, links, and illustrations.

A link to this report can be found in the show notes.

This has been a CISA Cybersecurity Alert.