One of the nastiest ransomware groups out there may have a whole new way of doing things
- CISA updates the advice on BianLian, originally published in May 2024
- Agency claims that the group has refrained from deploying the encryptor
- Instead, BianLian exfiltrates sensitive data and threatens to release it
Notorious ransomware group BianLian has stopped deploying an encryptor on victims’ devices and is now focusing solely on data exfiltration, an updated security advisory from the US Cybersecurity and Infrastructure Security Agency (CISA) and partner agencies warns.
CISA, along with the FBI and the Australian Cyber Security Center, first published an in-depth report on BianLian in May 2024 as part of the #StopRansomware effort, detailing the group’s techniques, tactics and procedures, but this has now been updated with new information, including the changes in the group’s modus operandi.
It turns out that BianLian no longer encrypts the information on its victims’ endpoints. Instead, it just steals the data and then demands payment in exchange for not leaking it to the public.
BianLian follows the trends
This is a change that the cybersecurity community has been warning about for some time, and BianLian is hardly the only group to no longer deploy the encryptor.
It turns out that developing, maintaining and implementing the encryption software is too tedious, too cumbersome and too expensive. In terms of money extortion, simple data exfiltration yields the same results, and scammers are taking notice.
The agencies also say that BianLian is a Russian actor based in the country and with Russian affiliates. If the name puts you off and makes you think the group is probably Chinese (or somewhere else in the Far East), that’s intentional.
“The reporting agencies are aware of multiple ransomware groups, such as BianLian, attempting to misattribute location and nationality by choosing names in a foreign language, which almost certainly complicates attribution efforts,” the report claims.
In the past, the group has been observed to target organizations in the US critical infrastructure sector as well as private companies in Australia.
