Powered by MOMENTUM MEDIA
cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

BianLian gang ditches ransomware entirely in favour of straight extortion

The FBI, the Cybersecurity and Infrastructure Security Agency, and the Australian Cyber Security Centre have released a joint cyber security advisory on the changing tactics of the BianLian ransomware gang.

user icon David Hollingworth
Thu, 18 May 2023
BianLian gang ditches ransomware entirely in favour of straight extortion
expand image

In fact, the advisory confirms what security researchers had observed back in March 2022 — namely that the gang is shifting away from ransomware operations and moving to strictly extortion-based campaigns against its targets.

BianLian has been active since at least June 2022 and is known to have targeted critical infrastructure in both Australia and the US. Its tactics include using Remote Desktop Protocol credentials alongside open source tools to encrypt and exfiltrate data via a number of methods, such as FTP or Rclone.

The group had used a double extortion methodology wherein it would both demand a ransom to release an encryption key to restore data and also to not publish the data it had exfiltrated.

However, following the release of a software tool by Avast to decrypt files without recourse to paying a ransom, the group started to move away from using ransomware. The new advisory confirms the change in tactics.

“In 2023, FBI observed BianLian shift to primarily exfiltration-based extortion with victims’ systems left intact, and ACSC observed BianLian shift exclusively to exfiltration-based extortion,” the advisory read. “BianLian actors warn of financial, business, and legal ramifications if payment is not made.”

Aside from contacting organisations by leaving a ransom note in the wake of its exfiltration operations, BianLian has used a number of other techniques to apply pressure on its victims. It has been known to target networked printers to share ransom notes en masse and to harass individual employees via phone.

But BianLian, as of March, maintains that while its intentions may be criminal, it still intends to be somewhat honourable about things.

“Our business depends on the reputation even more than many others,” the group has said in the past. “If we will take money and spread your information — we will have issues with payments in future. So, we will stick to our promises and reputation.”

“That works in both ways: if we said that we will email all your staff and publicly spread all your data — we will.”

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.