A new ransomware player called BianLian is ramping up activity, and has already targeted organizations in Australia, North America and the UK.
According to an advisory from cybersecurity firm Redacted, there has been a “worrying” rise in the rate at which BianLian is introducing new online command and control (C&C) servers.
The ransomware was created using Golang (Go), the open source programming language created by Google, and targets SonicWall VPN devices and Microsoft Exchange Server ProxyShell Vulnerabilities Series (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).
“While we lack the foresight to know the exact cause of this sudden explosion in growth, this may indicate that they are ready to step up their operational pace, although whatever the reason, there is little good that comes from a ransomware operator with more resources available. them,” the researchers noted in Friday post.
BianLian has grown in popularity since it was first introduced in mid-July, according to researchers at Cyble Research Labs, which Posted details on ransomware last month.
BianLian Ransomware Attack Flow
To start its attacks, the ransomware gang takes advantage of access gained through ProxyShell vulnerabilities to install a web shell or ngrok payload for monitoring activities. The researchers said the group was careful to avoid detection and minimize observable events as they search for data and select machines to encrypt it.
In a campaign noted by Redacted, BianLian most often used the benchmark ‘Live off the land’ (LoL) technologies For retinal profiling and lateral movement, the report indicated. These included net.exe to add and/or modify user permissions; netsh.exe to configure host firewall policies; and reg.exe to adjust various registry settings related to remote desktop and security policy enforcement.
In addition to taking advantage of LoL technologies, the group is also known to deploy a custom implant as an alternative way to maintain continuous access to the network. The main goal of this “simple and efficient” backdoor is to retrieve arbitrary payloads from a remote server, load them into memory, and then execute them.
“Bian Lian demonstrated that they are adept at systematically moving horizontally, fine-tuning their operations based on the capabilities and defenses they encountered in the network,” the report stated.
BianLian, like the others New cross-platform ransomware Like Agenda, Monster, and Red Alert, it is also able to start servers in Windows Safe Mode to execute file-encrypting malware while remaining undetected by security solutions installed on the system. Other actions taken to circumvent security barriers include deleting snapshots, purging backups, running the Golang Encoder via Windows Remote Management (WinRM) and PowerShell scripts.
The emergence of the group adds to the growing number of threats that are being used Go as a primary languageallowing adversaries to make quick changes to a single code base that can then be aggregated for multiple platforms.
Ransomware operates on a large scale
Acronis’ mid-year cyberthreats report finds that ransomware is still the top threat To large and medium-sized companies, including government institutions, while searching from Sophos Indicates Ransomware gangs may work collectively to orchestrate multiple attacks.
Further complicating the security landscape is the emergence of data markets that make it easier for threat actors to find and use data leaked during ransomware attacks in Follow-up attacks.
Despite the increased risk level and sophistication of ransomware attacks, ransomware coverage is not available even among companies with cyber insurance, according to BlackBerry exploratory study.
The Redacted report recommended using a multi-layered approach when trying to mitigate the threat posed by ransomware actors.
“The focus should be on reducing the attack space to avoid the most common types of exploit techniques, but also a willingness to act quickly and effectively when compromise inevitably occurs,” the report said.
The foundation of this strategy includes multi-factor authentication (MFA), secure backups, and an incident response plan.