virus logo Threat Signal Report

#StopRansomware: BianLian Ransomware

Description

What is BianLian Ransomware? BianLian is a ransomware threat actor whose modus operandi is to add victims to its own data leak site in June 2022. BianLian also refers to the file encryptor (ransomware) used by the threat actor. Victims reportedly include critical infrastructure organizations in the U.S. and Australia.
FortiGuard Labs previously reported BianLian in a Ransomware Roundup blog published on September 2nd, 2022.
What is the Attack? The BianLian ransom threat actor leverages stolen and leaked Remote Desktop Protocol (RDP) credentials for initial access, FTP, Rclone, PowerShell scripts and a public could storage for data exfiltration, and abuses Impacket tools and PsExec for lateral movements. Furthermore, it installs Go-based backdoors and legitimate Remote Access software to establish external communications and persistence. Such activities are typically done prior to deploying a Go-based BianLian encryptor to the victims' networks for data encryption. It adds a ".bianlian" file extension to files encrypted and leaves a ransom note labeled "Files encrypted by BianLian encryptor have a ".bianlian" file extension." The group was recently reported to have abandoned file encryption and focused only on data exfiltration, potentially because a free file decryptor was publicly made available.
Why is this Significant? This is significant because CISA released a new ransomware advisory for BianLian ransomware on May 16th, 2023, as part of their #StopRansomware effort. Organizations compromised by the BianLian ransomware threat actor likely will experience loss of data due to exfiltration, unwanted downtime, and ultimately, but not limited to - damage to an organization's reputation.
What FortiGuard Coverage is available? FortiGuard Labs has the following AV signatures available for known BianLian ransomware samples:
  • MSIL/BianLian.A!tr.ransom
  • W64/BianLian.A!tr.ransom
  • W32/BianLian.c7ec!tr.ransom
  • W32/BianLian.7abe!tr.ransom
  • W64/Filecoder.BT!tr.ransom
  • W32/Filecoder.BT!tr
  • W32/RANSOM.HR!tr

    • The following AV signatures may cover files and malware related to BianLian activities:
  • W64/Filecoder.GG!tr
  • W64/Agent.RA!tr
  • W64/Agent.FEDE!tr
  • W64/Agent.FCF9!tr
  • W64/Agent.ED2A!tr
  • W64/Agent.538F!tr
  • W64/Agent.6D96!tr
  • W64/Agent.9A59!tr
  • W64/Agent.7D10!tr
  • W32/PossibleThreat
  • PossibleThreat.PALLAS.M
  • PossibleThreat.PALLAS.H
  • Malicious_Behavior.SB

    		•
    FortiGuard Labs Guidance Due to the ease of disruption, damage to daily operations, potential impact to an organization's reputation, and the unwanted destruction or release of personally identifiable information (PII), etc., it is vital to keep all AV and IPS signatures up to date.
    Organizations will need to make foundational changes to the frequency, location, and security of their data backups to effectively deal with the evolving and rapidly expanding risk of ransomware. When coupled with digital supply chain compromise and a workforce telecommuting into the network, there is a real risk that attacks can originate from anywhere. Cloud-based security solutions, such as SASE, to protect off-network devices; advanced endpoint security, such as EDR (endpoint detection and response) solutions that can disrupt malware mid-attack; and Zero Trust Access and network segmentation strategies that restrict access to applications and resources based on policy and context, should all be investigated to minimize risk and to reduce the impact of a successful ransomware attack.
    As part of the industry's leading fully integrated Security Fabric, delivering native synergy and automation across your security ecosystem, Fortinet also provides an extensive portfolio of technology and human-based as-a-service offerings. These services are powered by our global FortiGuard team of seasoned cybersecurity experts.
    Organizations such as CISA, NCSC, the FBI, and HHS caution ransomware victims against paying a ransom partly because payment does not guarantee that files will be recovered. According to a U.S. Department of Treasury's Office of Foreign Assets Control (OFAC) advisory, ransom payments may also embolden adversaries to target additional organizations, encourage other criminal actors to distribute ransomware, and/or fund illicit activities that could potentially be illegal. For organizations and individuals affected by ransomware, the FBI has a Ransomware Complaint page where victims can submit samples of ransomware activity via their Internet Crimes Complaint Center (IC3).
    FortiGuard Labs' Emergency Incident Response Service provides rapid and effective response when an incident is detected. And our Incident Readiness Subscription Service provides tools and guidance to help you better prepare for a cyber incident through readiness assessments, IR playbook development, and IR playbook testing (tabletop exercises).

    Appendix

    #StopRansomware: BianLian Ransomware Group (CISA)

    Ransomware Roundup: Snatch, BianLian and Agenda (Fortinet)


    ID 42
    Date May 17, 2023
    Threat/
    Vulnerability    		 Ransomware
    Experienced a Breach? We're here to help FortiGuard Incident Response Services
    FortiGuard Incident Response Services