Fraud Management & Cybercrime , Ransomware

BianLian Skips Encryption on Way to Extortion

BianLian Is Not Double Trouble Anymore, Says US CISA
BianLian Skips Encryption on Way to Extortion
A bian lian performer in Chengdu, Sichuan province, China, in March 2022 (Image: Shutterstock)

The BianLian ransomware group is abandoning malicious encryption in favor of pure extortion, warns the U.S. top cybersecurity agency.

See Also: The Gorilla Guide to Modern Data Protection

Security researchers earlier this year spotted the group skipping over double extortion to engage in the straight extortion tactic of demanding a ransom for silence about stolen data.

Now the U.S. Cybersecurity and Infrastructure Security Agency says the same.

A major likely factor in BianLian's shift was cybersecurity firm Avast's January release of a free decryptor (see: Stung by Free Decryptor, Ransomware Group Embraces Extortion).

The group's name refers to "bian lian," an ancient Chinese dramatic art in which characters' faces change in the blink of an eye. The group apparently adopted the moniker as a boast about the speed of its encryption.

CISA says the group gains initial access to networks through compromised remote desktop protocol credentials likely acquired from initial access brokers or through phishing.

Once inside a network, BianLian hackers implant a custom backdoor specific to each victim, CISA says, and install remote management tools such as TeamViewer.

The FBI also observed BianLian group actors activate local administrator accounts and change their credentials. The hackers use Windows utilities to disable antivirus tools such as Windows Defender and the anti-malware scan interface, a Microsoft standard for integrating antivirus programs into the Windows environment.

Hackers look for sensitive files using PowerShell scripts and exfiltrate them for extortion.

BianLian receives payments in unique cryptocurrency wallets for each victim company and engages in additional techniques to pressure the victim into paying the ransom.

The threat actors use printers in the victim network to churn out ransom notes and employees of victim companies have reported receiving threatening telephone calls.


About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.