About This Threat Profile
First Identified: 2022
Operation style:
Previously a ransomware-as-a-service (RaaS), in 2023 the group ceased encryption and focused on data exfiltration operations.
Extortion method:
Double extortion and extortion without encryption. Bianlian has been observed focusing on data exfiltration; however, the group has been observed utilizing encryption on some occasions.
Most frequently targeted industry: Healthcare
Most frequently targeted victim HQ region: United States, North America
Known Associations: Makop Ransomware
Description
BianLian ransomware is written in Go language and is compiled as a 64-bit Windows system that has been active since, at least, July 2022. The group previously (2022-2023) operated a ransomware-as-a-service (RaaS) and used a double extortion method, where the ransomware both encrypted the victim’s machines and exfiltrated sensitive data; the group threatened to leak the stolen data if the ransom demand was not paid. However, in 2023, the group was observed stealing sensitive data and extorting victims, avoiding the encryption portion of a typical ransomware attack.
BianLian is reportedly a reference to the traditional Chinese art of “face-changing”. The name is indicative of the operations’ ability to adapt and its evolution in its TTPs.
In 2023, Avast researchers released a decryptor for the BianLian encryptor, which likely led to the group no longer encrypting victim networks and focusing on data exfiltration instead.
BianLian operators have been observed gaining initial access via a variety of methods, including phishing emails, exploitation of leaked/compromised credentials, exploitation of vulnerabilities, and purchasing access via IABs. BianLian uses native Windows tools and Windows Command Shell to query users, the domain controller to identify groups, accounts in Domain Admins and Domain Computers groups, and map out additional devices on the network.
BianLian often uses valid credentials for persistence, defense evasion, and lateral movement. The group extracts credentials from the victim environment, creates new administration accounts, or modifies existing accounts’ passwords to allow incoming RDP traffic.
BianLian encrypts files using the AES256 algorithm and, as opposed to other operations, the AES key is not encrypted by a public key and is not stored in the encrypted files. The malware divided the file content into 10-byte chunks. It reads ten bytes from the original file, then encrypts the bytes, and writes the encrypted data into the target file.
The ransomware places the ransom note on the affected devices, the group prints the ransom note to printers on the compromised network, and victims’ employees have previously reported receiving threatening phone calls from BianLian-associated individuals.
BianLian and Makop ransomware operations have been observed using the same small .NET custom executable, indicating that the groups are connected. However, the exact connection between the two operations remains unknown. Additionally, the two groups have been observed deploying the same hash of the Advanced Port Scanner tool.
Security researchers have reported there is an even chance that the BianLian operation is a rebrand of the PYSA ransomware; however, the evidence of any connection is solely based on activity timelines and TTPs.