One of the nastiest ransomware groups around may have a whole new way of doing things

News
By
published

BianLian is changing the way it extorts money

An abstract image of digital security.
(Image credit: Shutterstock) (Image credit: Shutterstock)
  • CISA updates advisory on BianLian, originally published in May 2024
  • Agency claims the group is moving away from deploying the encryptor
  • Instead, BianLian exfiltrates sensitive data and threatens to release it

The infamous BianLian ransomware group has stopped deploying an encryptor on victim devices, and now focuses exclusively on data exfiltration, an updated security advisory from the US Cybersecurity and Infrastructure Security Agency (CISA), and partner agencies has warned.

CISA, alongside the FBI and Australian Cyber Security Centre, first published an in-depth report on BianLian in May 2024 as part of its #StopRansomware effort, detailing the group’s techniques, tactics, and procedures, but this has now been updated with new information, including the changes to the group’s modus operandi.

As it turns out, BianLian no longer encrypts the information on the endpoints of its victims. Rather, it just steals the data, and then demands payment in exchange for not leaking it to the public.

This is a change that the cybersecurity community has been warning about for quite some time now, and BianLian is hardly the only group that is no longer deploying the encryptor.

As it turns out, developing, maintaining, and deploying the encryption software is too tedious, too cumbersome, and too expensive. In terms of money extortion, simple data exfiltration yields the same results, anc crooks are taking notice.

The agencies also say BianLian is a Russian actor, based in the country, and with Russian affiliates. If the name threw you off, and made you think the group is likely Chinese (or elsewhere in the far East, for that) - that is intentional.

“The reporting agencies are aware of multiple ransomware groups, like BianLian, that seek to misattribute location and nationality by choosing foreign-language names, almost certainly to complicate attribution efforts,” the report claims.

In the past, the group was observed targeting organizations in the US critical infrastructure sector, and private enterprises in Australia.

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.