One of the biggest and oldest charities in the world, Save the Children, has admitted it was a victim of a ransomware attack by the BianLian operation.
The attack first came to light on Monday, September 11, when details concerning the assault were posted to the gang's leak site.
The attack was originally tracked by VX Underground and Brett Callow of Emsisoft. VX Underground declared that the gang needed "to be punched in the face," which is a statement that is difficult to dispute.
Save the Children was not specifically mentioned at first by BianLian, who instead claimed to have struck "the world's leading non-profit organisation, employing around 25,000 staff and operating in 116 countries" with $2.8 billion in revenue.
The charity's own boilerplate matches some of this description, but BianLian's assessment of Save the Children's financial situation seems to be wildly off; the organisation's entire revenue in 2022 was £294m.
It claimed to have stolen 6.8TB of data, including 800GB of the charity's financial data, along with data on its human resources department, as well as individual users' personal information, including their health and medical records and email texts.
The BianLian ransomware gang is largely unknown, and although its name refers to a type of Chinese opera from Sichuan Province, it is far more likely that the group is a Russian-speaking one. It was one of many crews that appeared during 2022, ascending around the same time as groups like Black Basta, Hive, and Alphv/BlackCat and establishing themselves as a successful criminal organisation.
It joined the group of ransomware groups that, as of 2023, have shifted away from encrypting the data of their victims and instead prefer to just grab it and demand payment in exchange for a promise not to disclose it.
The US Cybersecurity and Infrastructure Security Agency (CISA) claims that BianLian generally uses legitimate Remote Desktop Protocol (RDP) credentials to access its victims' systems and makes use of a number of open source tools and command-line scripting for credential harvesting.
It uses a variety of techniques to steal their data, most commonly using File Transfer Protocol (FTP) and legal cloud storage and file transfer services like Rclone and Mega.
It makes a show of printing its ransom note on printers on its networks to put pressure on its victims, and staff of victimised companies have reported receiving threatening phone calls from individuals posing as group members.
