On Tuesday 16th of May 2023, the United States Federal Bureau of Investigation (FBI) released a joint TLP:CLEAR cybersecurity advisory warning organisations of the latest tactics, techniques, and procedures (TTPs) used by the BianLian ransomware group. The advisory highlighted that BianLian is a ransomware developer, deployer, and data extortion cybercriminal group that has targeted organisations in multiple U.S. critical infrastructure sectors since June 2022. It also revealed that BianLian initially employed a double-extortion model, encrypting systems after stealing personal data from victim networks and then threatening to publish the files. However, since January 2023, when Avast released a decryptor for the ransomware, the group switched to primarily exfiltration-based extortion without encrypting systems.
This joint cybersecurity advisory was released in coordination with the Cybersecurity and Infrastructure Security Agency (CISA) and Australian Cyber Security Centre (ACSC to provide key cyber threat information to disseminate known BianLian ransomware IOCs and TTPs associated with ransomware variants identified through investigations as recently as March 2023. The advisory also revealed that BianLian has been observed breaching systems using valid Remote Desktop Protocol (RDP) credentials, which are likely acquired from initial access brokers or through phishing.
In the advisory, the FBI asked for any information related to the Royal ransomware to be shared with them. This information can include “boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with BianLian actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.”
© 2021 CyberEnsō – Nihon Cyber Defence Co., Ltd. All Rights Reserved.