The developers of the cutting-edge cross-platform ransomware BianLian accelerated their operational tempo this month by expanding their command-and-control infrastructure. Organizations in Australia, North America, and the United Kingdom have already been attacked by BianLian Ransomware Gang, a new competitor in the ransomware market.
There has been a “troubling” increase in the rate at which BianLian is bringing additional command-and-control (C&C) servers online, claims an alert from cybersecurity firm Redacted.
The ransomware targets SonicWall VPN devices and the Microsoft Exchange Server ProxyShell vulnerability chain. It was developed using the open source programming language Golang (Go) (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).
In Friday’s post, the researchers said “While we lack the knowledge of precise cause for sudden growth in the explosion. This may signal that they are ready to increase their operational tempo. However, whatever the reason, there is little benefit to a ransomware operator having more resources available to them.
The popularity of BianLian has increased after its discovery in mid-July, according to researchers at Cyble Research Labs, who last month revealed information on the ransomware.
The BianLian Ransomware Attack Flow
The ransomware gang uses the access granted by the ProxyShell vulnerabilities to install a Web shell or a ngrok payload for activity monitoring to launch its attacks. As it searches for data and seeks out machines to encrypt, the organization has been careful to prevent discovery and reduce observable occurrences, researchers said.
BianLian used typical living off the land (LoL) strategies for network characterization and lateral movement in a campaign. These included reg.exe to change different registry settings pertaining to remote desktop and security policy enforcement, net.exe to add and/or modify user rights, and netsh.exe to configure host firewall policies.
The gang uses a bespoke implant as an alternate method to sustain persistent network access in addition to utilizing LoL tactics. This “simple but effective” backdoor’s primary goal is the ability to download and execute arbitrary payloads from a remote server.
According to the report, “BianLian have demonstrated themselves to be adept at moving laterally, adjusting their operations based on the capabilities and defenses they encountered in the network.”
The ability to launch servers in Windows Safe Mode allows BianLian, like other recent cross-platform ransomware like Agenda, Monster, and RedAlert, to carry out its file-encrypting virus while evading detection by the system’s security programmes. Other steps taken to get over security hurdles include erasing snapshots, cleaning up backups, and using Windows Remote Management (WinRM) and PowerShell scripts to run its Golang encryption module.
With the group’s appearance, there are now more dangers to using Go as a base language, giving enemies the ability to quickly modify a single code base that can subsequently be produced for several platforms.
Ransomware Runs Wild
According to Acronis’ mid-year cyber-threats assessment, ransomware remains the top threat to large and medium businesses, as well as government agencies, and Sophos’ research suggests that ransomware gangs may be coordinating multiple attacks.
The rise of data marketplaces, which make it simpler for threat actors to locate and use data exfiltrated during ransomware assaults in follow-up attacks, has further complicated the security picture.
According to a BlackBerry poll, ransomware coverage is insufficient even among companies having cyber insurance, despite the increased risk level and sophistication of ransomware assaults.
To lessen the threat posed by ransomware attackers, the Redacted advice suggested using a layered strategy.
“Focus needs to be placed on decreasing your attack surface to minimize the most prevalent sorts of exploitation techniques,” the paper advised. “But it’s also important to prepare to act swiftly and efficiently when a compromise invariably occurs.”
Multifactor Authentication (MFA), secure backups, and an incident response plan form the basis of this technique.
