Potential BianLian Ransomware, TeamViewer, and BitLocker

BianLian is a Golang-based ransomware-as-a-service (RaaS) that has been active since at least 2022. The group previously (from 2022 – 2023) operated a RaaS and used a double extortion method, where the ransomware both encrypted the victim’s machines and exfiltrated sensitive data; the group threated to leak the stolen data if the ransom demand was not paid.

However, in 2023, the group was observed stealing sensitive data and extorting victims, avoiding the encryption portion of a typical ransomware attack. Avast researchers released a decryptor for the BianLian ransomware in 2023, which likely led to the groups’ change in tactics (1).

The IP address, 94.198.50[.]195, has previously been attributed to BianLian operations and is registered in Russia (2). BianLian often uses valid credentials for persistence, defense evasion, and lateral movement. The group extracts credentials from the victim environment, creates new administration accounts, or modifies existing accounts’ passwords to allow incoming RDP traffic.

BianLian encrypts files using the AES256 algorithm and, as opposed to other operations, the AES key is not encrypted by a public key and is not stored in the encrypted files. The malware divided the file content into 10-byte chunks. It reads ten bytes from the original file, then encrypts the bytes, and writes the encrypted data into the target file.

From 2023 April 01 – 2024 March 31, BianLian operators listed 220 victims on their data leak site, with the majority of those victims in the Healthcare vertical and the majority based in the U.S. It is very likely that BianLian has targeted many more victims, as the tracked numbers include only those listed on the group’s data leak site and omits victims that paid the ransom or were not listed for other reasons.

The APG predicts that threat actors will very likely continue to use BianLian ransomware and other ransomware variants to attack Consumer Cyclicals organizations over the next 12 months.

The APG bases this assessment on internal Blackpoint observed attacks and external incident reports that detail BianLian ransomware activity.

• In February 2024, a new ransomware operation, TriSec, claimed responsibility for a ransomware attack targeting an Ireland-based Consumer Cyclicals company on their data leak site (4). Due to the new operation, little analysis has been done on the variant; however, the group claims to be a private operation that is state funded. The nature of the operations remains unverified at the time of writing (June 2024).
• In March 2024, security researchers with Guidepoint Security reported that BianLian ransomware operators claimed responsibility for a ransomware attack targeting a hospital network in Australia (3). As BianLian has often been observed exfiltrating data without encryption, it is likely that the group did not encrypt the network of the hospital.
• In May 2024, LockBit ransomware operators listed a Europe-based Consumer Cyclicals company on their data leak site, per the APG’s own internal threat actor tracking. The group reportedly demanded a $25 million ransom payment. The group claimed to have accessed employee information, classified head office files, and more. The post was removed from the LockBit data leak site; however, it is not known if the company paid the ransom demand or if the post was removed for another reason.

Blackpoint’s APG recommends the following actions to help mitigate the deployment of ransomware and the use of legitimate processes and services for persistence and lateral movement.

• Monitor system activity through heuristics-based triggers and alerts, which can help identify legitimate software being installed or used in suspicious or abnormal methods and identify behaviors consistent with ransomware activity.
• Regularly audit both environment and endpoints, that can aid in identifying previously unknown (or unapproved) installed software that can be abused for malicious actions.
• Implement the practice of least privilege, which will help ensure regular user accounts are unable to install certain tools and conduct certain activities in the event of a possible account compromise.
• Create and maintain data backups that can aid in recovery in the event of ransomware attacks; this should include offline backups and regular testing to ensure the backups are sufficient and usable in the event of an incident.

TeamViewer is a remote administration tool that can be used to remotely access machines and conduct activities such as updates, installation and removal of software/services, and other remote activities.

Threat actors often find these types of tools an attractive target and tool to use during cyberattacks (5)due to:

• The access these types of tools provide;
• The ability to remain undetected and blend into normal traffic; and
• The potential for persistent access to compromised networks.

The APG predicts that threat actors will very likely continue to abuse TeamViewer and other allowlisted tools as part of a Living off the Land (LotL) strategy for peristence and defense evasion over the next 12 months.

We base this assessment on internal Blackpoint observed attacks and external reporting related to the use of TeamViewer during a cyberattack.

Blackpoint’s APG has tracked at least three ransomware operations that have used TeamViewer during cyberattacks, which include:

• BianLian
• LockBit
• Trigona

Furthermore, security researchers with ReliaQuest reported that between 2022 and 2024, more than one third of the intrusions the company responded to involved RMM tools (6).

Threat actors are likely going to continue to abuse and target remote administration tools both for persistence and initial access, given their high level of access within target environments. Threat actors will also likely continue to install these tools, including TeamViewer, post-intrusion to maintain persistent access to victim environments.

However, threat actors will also likely target vulnerabilities, credentials, and weaknesses in pre-installed tools to gain access to victim environments.

Blackpoint’s APG recommends the following actions to help mitigate the abuse of TeamViewer for persistence and defense evasion.

• Enable multi-factor authentication (MFA), which can help identify malicious or anomalous logins and require an additional step for securing user accounts.
• Implement application controls to help manage and control the installation of software, including RMM software.
• Monitor system activity through heuristics-based triggers and alerts, which can aid in identifying the malicious install, use, and presence of unapproved tools and malicious activities on devices.
• Implement a patch management program to ensure that security vulnerabilities are patched in a timely manner in operationally-critical-yet-frequently-abused services, such as RMM tools, to prevent exploitation.

BitLocker is a Windows security feature that provides encryption for entire volumes, addressing the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned devices.

BitLocker helps mitigate unauthorized data access by enhancing file and system protections, rendering data inaccessible when BitLocker-protected devices are decommissioned or recycled (7).

For threat actors seeking to hold victim organizations ransom (“Pay us or you can’t have your device or data, so you can’t do business!”), BitLocker presents a welcome opportunity as an often allowlisted tool already present within a given environment.

The APG predicts that threat actors will very likely continue to abuse BitLocker over the next 12 months.

This assessment is based on internal Blackpoint observed attacks and external reporting related to threat actors’ abuse of BitLocker.

• In May 2024, security researchers with Kaspersky reported ransomware attacks had been using Microsoft’s BitLocker to attempt encryption of corporate files. The threat actors removed the recovery options to prevent the files from being restored and used a malicious script that detected specific Windows versions and enabled BitLocker (8). Additionally, the threat actors delete the protectors used to secure BitLocker’s encryption key so that the victim can’t recover them.
• In 2022, security researchers with Microsoft reported that DEV-0270 had been observed abusing the BitLocker service to attempt encryption of a victim’s network. The group reported demanded ransom payments of more than $8,000 for decryption keys (9).

Threat actors find BitLocker an attractive tool because they can conduct encryption-based attacks by leveraging a tool built into the operating system.

While the majority of ransomware operators utilize their own (or purchased) ransomware encryptor as they typically have more capabilities, such as exfiltrating sensitive data. BitLocker provides an integrated tool for conducting simple ransomware attacks, which can still be detrimental to an organization’s data.

Blackpoint’s APG recommends the following actions to help mitigate the malicious abuse of tools such as BitLocker as part of threat actors’ living off the land (LotL) strategies.

• Improve security visibility of networks, endpoints, and other managed assets to aid in detecting and alerting to suspicious actions and use of OS-integrated tools, such as BitLocker.
• Create and implement a strong password policy to provide additional protection on devices with BitLocker enabled; and can ensure that passwords and recovery keys are stored in a secure location.
• Operate from a zero-trust mentality, which assumes that all requests to each resource is malicious and embodies aggressive and continuous monitoring and management. Doing so means catching more in-progress attacks, instead of assuming the activity is authorized because the user or program itself is allowlisted.
• Minimize the use of – or implement strict controls on – the use of scripting languages, as threat actors often rely on scripting languages to deploy malware and conduct malicious activities (and few end users legitimately require such processes for their daily responsibilities).

1. Avast’s Blog: “Decrypted: BianLian Ransomware” by Threat Research Team on 2023-01-16
2. VirusTotal’s Repository: “94.198.50.195” by VirusTotal on 2024-06-13
3. Guidepoint Security’s Blog: “BianLian Ransomware Strikes Lindsay Municipal Hospital: Another US Institution Under Attack” by Guidepoint Security on 2024-03-11
4. Privacy Affairs’s Article: “Novel Trisec Ransomware Hits Toyota Ireland” by Niklos Zoltan on 2024-02-17
5. Blackpoint Cyber’s Blog: “Vulnerable RMM Tools and Vulnerable Industries: Why Vigilance is Key” by Blackpoint Cyber on 2024-03-28
6. ReliaQuest’s Blog: “RMM Tool Abuse” by ReliaQuest Threat Research Team on 2024-02-20
7. Microsoft’s Blog: “BitLocker overview” by Microsoft on 2023-11-06
8. Kaspersky’s Blog: “Kaspersky uncovers new BitLocker-abusing ransomware” by Kaspersky on 2024-05-23
9. Microsoft’s Blog: “Profiling DEV-0270: PHOSPHORUS’ ransomware operations” by Microsoft Threat Intelligence on 2022-09-07