BianLian Ransomware Detection: AA23-136A Joint Cybersecurity Advisory Details on TTPs Leveraged by BianLian Operators in the Ongoing Malicious Campaigns
Table of contents:
Following a wave of cyber attacks by the Iran-linked hacking collective tracked as Pioneer Kitten, the FBI, CISA, and authoring partners issue a new alert notifying defenders of a growing threat posed by BianLian Ransomware Group, which primarily targets critical infrastructure organizations in the U.S. and Australia.
Detect BianLian Ransomware
According to the State of Ransomware Report 2024 by Sophos, 59% of organizations globally have suffered a ransomware attack, with 70% of them ending up in successful data encryption. The average ransom demand has surged to $2.73 million in 2024, nearly a $1 million increase compared to 2023. This highlights the urgent need for proactive ransomware detection, making it one of the top priorities for cyber defenders.
The latest joint advisory by CISA, FBI, and partners (AA23-136A) warns security professionals of new tactics, techniques, and procedures employed by BianLian ransomware operators. To help organizations detect BianLian ransomware attacks proactively, SOC Prime’s Platform for collective cyber defense aggregates a set of relevant Sigma rules. All detections are compatible with 30+ SIEM, EDR, and Data Lake solutions and mapped to the MITRE ATT&CK® framework to help security professionals streamline threat investigation and hunting activities.
Press the Explore Detections button below to immediately drill down to a detection content bundle aimed at detecting BianLian ransomware attacks.
To analyze BianLian attacks retrospectively and gain more context on the malicious activity linked to the ransomware gang, security practitioners might follow this link for more related content. To simplify the content search, SOC Prime supports filtering by custom tags “AA23-136A” and “BianLian” right in the Threat Detection Marketplace.
Also, security professionals might use Uncoder AI, the industry-first AI co-pilot for Detection Engineering, to instantly hunt for indicators of compromise. Uncoder AI acts as an IOC packager, enabling cyber defenders to effortlessly interpret IOCs and generate tailored hunting queries. These queries can then be seamlessly integrated into their preferred SIEM or EDR systems for immediate execution.
BianLian Ransomware Group Attack Analysis
On November 20, 2024, the U.S. and Australian leading authoring organizations issued a new AA23-136A cybersecurity alert warning the global cyber defenders community of the increasing volumes of attacks by the BianLian ransomware gang. The hacking group is involved in ransomware development, deployment, and data extortion, likely operating from russia, with several ransomware affiliates based in the country.
Since early summer 2022, BianLian has targeted critical infrastructure sectors in the U.S. and Australia, along with professional services and property development organizations. Adversaries gain access to targeted systems via valid RDP credentials, use open-source utilities for discovery and credential harvesting, and exfiltrate data through FTP, Rclone, or Mega. Initially employing a double-extortion model, the group switched to data exfiltration-based extortion in January 2023 and exclusively used this method by January 2024.
BianLian ransomware gang focuses on exploiting public-facing applications in both Windows and ESXi infrastructure, potentially using the ProxyShell exploit chain (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) to gain initial access.
Adversaries also deploy a custom Go-written custom-tailored backdoor, install remote management software for persistence, and create or modify local admin accounts. They may use tools like Ngrok and modified Rsocks for reverse proxy and SOCKS5 network tunneling to obscure C2 traffic. Moreover, BianLian has been observed weaponizing CVE-2022-37969 on Windows 10/11 to elevate privileges.
The hacking collective applies a wide range of techniques to hinder detection. For instance, they employ PowerShell and Windows Command Shell to disable antivirus tools, including Windows Defender and AMSI. They modify the Windows Registry to disable tamper protection for services like Sophos, allowing them to uninstall these services. Additionally, they rename binaries and scheduled tasks to resemble legitimate Windows services or security tools and may pack executables with UPX to evade detection.
BianLian group also uses a mix of compiled tools and native Windows utilities to gather information about the victim’s environment, like Advanced Port Scanner to identify open ports, SoftPerfect Network Scanner to ping computers and discover shared folders, SharpShares to enumerate network shares, and PingCastle to enumerate Active Directory.
In addition, adversaries exploit valid accounts for lateral movement and further offensive activities. They obtain credentials by searching for unsecured data on local machines using Windows Command Shell, harvesting credentials from LSASS memory, and downloading tools like RDP Recognizer to brute-force RDP passwords or check for vulnerabilities. Notably, adversaries apply additional tactics to coerce victims into paying the ransom, such as printing ransom notes on network printers and making threatening phone calls to employees of the targeted organizations.
The increasing volumes of cyber attacks against the critical infrastructure sectors related to the russia-linked BianLian ransomware affiliates encourage global organizations to search for feasible security solutions to bolster their defenses. To minimize the risks of ransomware attacks by BianLian group actors, defenders recommend limiting RDP usage, disabling command-line and scripting permissions, and restricting PowerShell access on Windows systems. In addition, timely applying a proactive cybersecurity strategy backed by cutting-edge technologies empowers security teams to effectively thwart emerging threats and future-proof their security posture. SOC Prime’s platform for collective cyber defense equips organizations across diverse industry verticals with next-gen solutions backed by community-driven threat intelligence and AI to proactively safeguard against the most sophisticated attacks that pose the greatest threat to the organization’s business.