BianLian Ransomware

Adversaries behind a cross-platform BianLian ransomware target businesses in Australia, North America, and the UK, attacking multiple industries, including media and entertainment, healthcare, education, and manufacturing.

The ransomware strain first surfaced in December 2021 and, according to recent reports, is currently undergoing active development. BianLian Ransomware Gang has already compromised at least 20 companies; however, the actual numbers are probably higher, given that the victims who paid the ransom are not listed on adversaries’ data leak site on Tor.

Detect BianLian Ransomware

To identify behaviors associated with BianLian ransomware, utilize the following threat detection content released by seasoned Threat Bounty contributor Aytek Aytemur:

New BianLian Ransomware[CVE-2021-34473] Behavior by Detection of Associated Processes (via process_creation)

The Sigma rule is aligned with the MITRE ATT&CK® framework v.10 and has translations for 26 SIEM, EDR & XDR platforms.

Risking sounding like a broken record, we want to stress the paramount importance of timely threat prevention & detection. Strengthen your security posture by utilizing vetted threat detection content, effortlessly search for related threats, and instantly delve into contextual metadata, like CTI and ATT&CK references. Press the Explore Threat Context button and drill down to relevant search results using SOC Prime Cyber Threats Search Engine.

Explore Detections  

BianLian Ransomware Description

Written in Go, the BianLian ransomware is designed for compromising SonicWall VPN devices and the Microsoft Exchange Server ProxyShell vulnerabilities. The ransomware actor employs sophisticated techniques to break into systems and move laterally undetected, despite being a new player in the ransomware landscape. Upon exploits, attackers fetch malicious payloads from a remote server and run them. Also, researchers report cases of prolonged dwell times in all of the detailed attacks.

The research data indicates ransomware operators’ investment in new C&C servers, ensuring the campaign is picking up steam pretty quickly.

Golang-based ransomware is rising in popularity, and security researchers predict that we will see a steady increase of attacks leveraging this malware type in the near future. The high demand may be explained by the code versatility (once written the malware may be used across different OS) and Go-based malware pieces’ preeminent stealthiness.

Ransomware continues to be one of the most lucrative sources of income for many threat actors in 2022. With financially-motivated attacks crippling businesses’ day-to-day flows and putting devastating financial strains on their targets, the best option is to arm with the best industry-specific solutions available – no matter the size or line of your business. Join SOC Prime’s Detection as Code platform to unlock access to the world’s largest pool of detection content created by reputable experts in the field. Rest assured that you will not be missing out on any essential updates since our SOC experts strive to publish all the latest detections, maintaining a swift response to the latest threats.



Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts