Cybersecurity officials the, FBI, Microsoft and Sophos are warning organizations to limit their use of some legitimate tools as they are being leveraged by the BianLian group, a ransomware group that has targeted organizations with a data extortion model, bypassing the need to encrypt victims’ data.
According to a joint advisory from CISA, its Australian counterpart agency, the FBI, and input from Microsoft and Sophos, the BianLian group is a ransomware developer, deployer and data extortion group that has been active since June 2022. The group originally used a double-extortion model in which they encrypted systems after exfiltrating the data, but the BianLian group since January has shifted to largely exfiltration-based extortion, meaning they bypass encryption and use the threat of leaking sensitive data to compel victims to pay the ransom.
How the BianLian Ransomware group gains initial access and evades detection
According to the advisory, the group leverages legitimate IT tools to gain access and steal data, including Remote Desktop Protocol credentials, open-source tools and command-line scripting for discovery and credential harvesting, and data exfiltration via File Transfer Protocol (FTP), Rclone or Mega.
However, initial access is gained by leveraging compromised Remote Desktop Protocol credentials, which officials say are likely acquired from initial access brokers or phishing.
To evade detection, the BianLian ransomware group uses PowerShell and Windows Command Shell to disable antivirus tools, specifically Windows Defender and Anti-Malware Scan Interface. In addition, the group modifies the Windows Registry to disable tamper protection for Sophos SAVEnabled, SEDEnabled, and SAVService services, enabling them to uninstall those services.
How the BianLian Ransomware group learns about the victim’s environment
For discovery and learning about the victim’s environment, the BianLian group actors employ a variety of tools, including native Windows tools and Windows Command Shell get an overview of the victim’s environment.
To scan the network for open ports and ping computers, the group uses Advanced Port Scanner and SoftPerfect Network Scanner.
The group also uses SharpShares to enumerate accessible network shares in a domain and PingCastle to enumerate Active Directory and provide a map to visualize the hierarchy of trust relationships, according to the advisory.
Meanwhile, native Windows tools and Windows Command Shell are used to query logged-in users and query the domain to identify all groups, accounts in the Domain Admins and Domain Computers groups, and all users in the domain. In addition, the tools are used to retrieve a list of all domain controllers and domain trusts and identify accessible devices on the network, according to the advisory.
How BianLian Ransomware group obtains credentials and moves laterally
To more laterally through the network and conduct further malicious activities, the BianLian group uses valid accounts, the credentials of which are obtained in several ways, including using Windows Command Shell to find unsecured credentials on the local machine, harvesting credentials from the Local Security Authority Subsystem Services (LSASS) memory, using RDP Recognizer to brute force RDP passwords for check for vulnerabilities, and accessing the Active Directory domain database.
In one case, BianLian ransomware actors were observed using a portable executable version of an Impacket tool to move laterally to a domain controller and harvest credential hashes, authorities say.
Through Command Shell, an Impacket user with credentials can run commands on a remote device using the Windows management protocols required to support an enterprise network. This allows threat actors to run portable executable files on victim systems using local user rights, but only if the executable is not blocked.
BianLian group actors use PsExec and RDP with valid accounts for lateral movement, the advisory states. Prior to using RDP, BianLian actors used Command Shell and native Windows tools to add user accounts to the local Remote Desktop Users group, modified the added account’s password, and modified Windows firewall rules to allow incoming RDP traffic.
In one case, FBI found a forensic artifact (exp.exe) on a compromised system that likely exploits the Netlogon vulnerability (CVE-2020-1472) and connects to a domain controller, authorities say.
BianLian Ransomware group’s collection and exploitation
According to the advisory, the BianLian ransomware group has been observed using malware that enumerates registry and files and copies clipboard data from users.
The group searches for sensitive files using PowerShell scripts and exfiltrates them for data extortion, which is a departure from the group’s previous activity of encrypting files before extortion attempts.
BianLian group users FTP and Rclone, a tool used to sync files to cloud storage, to exfiltrate data. The group has been observed installing Rclone and other files in generic and generally unchecked folders, as well as using the Mega file sharing services to exfiltrate victim data.
According to a ransom note, BianLian group specifically looks for financial, client, business technical and personal files.
If a victim refuses to pay, the group threatens to publish exfiltrated data to a leak website on the Tor network. The ransom note directs victims to a Tox ID and a Tox chat or email address to communicate with the attackers.
The group communicates in a variety of ways, including printing a ransom note to printers on the compromised network.
How to Protect Against a BianLian Ransomware attack
In addition to typical ransomware mitigations, organizations are urged to limit the use of RDP and other remote desktop services, disable command-line and scripting activities and permissions, and restrict the usage of PowerShell and update Windows PowerShell or PowerShell Core to the latest version.
Read the advisory for more information, including the full list of recommendations and indicators of compromise.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!