Ransomware group BianLian has shifted the main focus of its attacks away from encrypting the files of its victims to focusing more on extortion as a means to extract payments from victims, according to cybersecurity firm Redacted.
The shift in the operating model comes as a result of Avast’s release of a decryption tool that allowed a victim of the BianLian ransomware gang to decrypt and recover their files without paying any ransom. The decryption tool was released in January.
“We have increasingly observed BianLian choosing to forgo encrypting victims’ data and instead focus on convincing victims to pay solely using an extortion demand in return for BianLian’s silence,” Redacted said in a blog. The group promises that after they are paid, they would not leak the stolen data or disclose the fact that the victim organisation suffered a breach.
BianLian claims it will ensure that the data is not leaked after it receives the payout because it needs to maintain its “reputation”.
“Our business depends on the reputation even more than many others. If we will take (the) money and spread your information- we will have issues with payments in (the) future. So, we will stick to our promises and reputation. That works in both ways: if we said that we will email all your staff and publicly spread all your data- we will,” the ransomware gang claimed, according to Redacted.
Referencing legal implications for victims
In its threat messages, the gang has also started referencing legal and regulatory implications that the victim organisation could face if the breach became public.
“The group has also gone so far as to include specific references to the subsections of several laws and statutes,” Redacted said.
Researchers at Redacted found that the laws referenced by the actors did in fact correspond to the jurisdiction where the victim was located.
“This attention to detail shows that the criminal gang is taking the extra time to tailor threats to their victims to maximise the pressure to pay the ransom,” Redacted said.
Posting masked organisation details
Another tactic that BianLian is adopting includes increasing the frequency of posting masked victim organisation details to their leak site. In such cases, the ransomware group would post varying degrees of detail about a victim organisation, typically masking all but a few letters from the company’s name while at the same time including high-level details such as the victim’s industry vertical, geographical location, and revenue numbers.
“While BianLian was known to use the masked victim pressure tactic prior to the release of the free decryption tool, the group’s use of the technique has exploded after the release of the tool,” Redacted said.
Between July 2022 and mid-January 2023, BianLian posted the masked details of victims 14 times. This accounted for 16% of the postings to their leak site during the nearly seven-month timeframe. In just two months after the decryptor was released, BianLian has already posted details of 22 masked victims, accounting for over half of their postings, Redacted said.
Researchers observed that the speed at which BianLian posts the masked details has also increased over time. If one is to accept the date of compromise listed by BianLian as accurate, the group averages just ten days from an initial compromise to ratcheting up the pressure on a victim by posting masked details. In some instances, BianLian appears to have posted masked details within 48 hours of a compromise, Redacted said in its report.
“With this shift in tactics, a more reliable leak site, and an increase in the speed of leaking victim data, it appears that the previous underlying issues of BianLian’s inability to run the business side of a ransomware campaign appear to have been addressed,” Redacted said, adding that these improvements are likely the result of gaining more experience through their successful compromise of victim organisations.
About 30 new C2 servers per month
The BianLian group appears to bring close to 30 new command-and-control (C2) servers online each month. In the first half of March, the group has already brought 11 new C2 servers online. The average lifespan of a server is approximately two weeks, Redacted said.
Researchers have observed in multiple instances that BianLian has compiled a backdoor within minutes of when they bring a C2 server online. Sometimes, the binary is created before the command and control is live, while in other instances the order is reversed.
“With such a tight coupling of infrastructure and malware deployment, by the time a BianLian C2 is discovered, it is likely that the group has already established a solid foothold into a victim’s network,” Redacted said.
As of March 13, BianLian detailed 118 victim organisations on their leak site with the maximum number of victim organisations in the healthcare vertical.