Grouping BianLian excluded encryption from the chain of attacks

2 months ago · 0 comments

The BianLian ransomware group has shifted its focus from encrypting files only to exfiltrating data and using it to extort victims. This was reported by the information security company Redacted, which saw signs that the group is trying to use its extortion skills and increase pressure on victims.

BianLian operators have retained their Initial Access and Lateral Movement methods, and continue to deploy their own Golang-based backdoor that gives them remote access to a compromised device.

On its website, BianLian lists its victims as early as 48 hours after being compromised and gives companies approximately 10 days to pay the ransom. As of March 13, 2023, BianLian has listed a total of 118 entities on its website, with the vast majority (71%) being US-based companies.

The main difference between the recent attacks is that BianLian tries to monetize its hacks without encrypting the victim's files. Instead, the group now relies solely on threats to leak stolen data to the dark web.

The hackers promise that once the ransom is paid, they will not disclose the stolen data or otherwise disclose the fact that the organization has been hacked. BianLian offers these guarantees based on the fact that their "business" depends on their reputation.

In order to have a greater impact on the victim, the cybercriminals in some cases reminded them of the possible legal problems that the organization would face if it became known about the hack. Moreover, in the ransom note, the group also left references to specific sections of laws and statutes.

Redacted experts found that in many cases, the mentioned laws apply in the region of the victim, indicating that hackers are honing their extortion skills by analyzing the legal risks of the victim in order to formulate strong arguments.

It is unknown if BianLian's move away from encryption is related to Avast's release of a free decryptor for the BianLian ransomware. Perhaps the attackers simply realized that they did not need this part of the attack chain to extort ransom from the victims.