The invasion of command-and-control (C2) infrastructure this month by the developers of the newly discovered cross-platform BianLian ransomware is a sign that the firm's operational pace is picking up.
Researchers at Cyble Research Labs claim that BianLian has grown in popularity since it was originally discovered in mid-July and shared details on their analysis of the ransomware in a blog post last week.
It's important to note that the double extortion ransomware family is unrelated to an Android banking virus of the same name that preys on bitcoin and mobile banking apps to steal sensitive data.
With the unique BianLian virus, threat actors have so far targeted a wide range of businesses, including those in media and entertainment, manufacturing, education, healthcare, banking, financial services, and insurance (BFSI), among other industries.
According to Cyble, the media and entertainment industry has suffered the greatest number of BianLian attacks—25% of victims to date—along with 12.5% each in the professional services, manufacturing, healthcare, energy and utilities, and education industries.
Ransomware operation
The ProxyShell Microsoft Exchange Server vulnerabilities are successfully exploited to get initial access to victim networks and to drop a web shell or a ngrok payload for subsequent actions.
The BianLian actors' display dwells lengths of up to six weeks between the time of initial access and the actual encryption event, a duration that is significantly longer than the median intruder dwell time of 15 days reported in 2021.
The group is known to use a bespoke implant as a backup method for preserving persistent access to the network in addition to utilizing living-off-the-land (LotL) tactics for network profiling and lateral migration.
The main objective of the backdoor is to download arbitrary payloads from a remote server, load them into memory, and then execute them. Similar to Agenda, BianLian can boot servers in Windows safe mode so that it can run its file-encrypting malware while evading detection by the system's security tools.
According to reports, the first C2 server connected to BianLian became live in December 2021. However, since then, the infrastructure has experienced a troubling expansion, surpassing 30 active IP addresses.
BianLian is also another example of cybercriminals' persistent efforts to use hopping techniques to evade detection. It also increases the threat level associated with the use of the fundamental language Go, giving adversaries the ability to quickly modify a single codebase that can subsequently be produced for several platforms.
