BianLian Ransomware Gang: Everything CISOs Need To Know

According to the IBM X-Force’s annual Threat Intelligence Index report, organizations are getting better at defending against ransomware. Recent media reports also indicate ransomware attacks may be declining.

While these narratives may indicate cybercriminals are pausing or encountering significant roadblocks, Chief Information and Security Officers (CISOs) and their organizations should be wary. Cybercriminals are known to regroup and adapt when faced with challenges, and this is no exception.

In fact, reports also indicate that certain ransomware groups are shifting tactics altogether by forgoing encryption methods and deploying harmful extortion, sometimes even double extortion, methods.

The BianLian Ransomware Gang, among others, is leading the charge.

What Is The BianLian Ransomware Gang?

BianLian is a young cyber threat group that first broke the news last year. In 2022, BianLian showed capability in exploiting security vulnerabilities and placing encryptions on sensitive data within breached networks by using an open-source ransomware variant. Reported victims were typically in media and entertainment, as well as a few notable industries like healthcare, education and manufacturing.

In the last few months, BianLian’s list of victims has grown considerably across countries like the United States and has narrowed to industries like healthcare, education, engineering and IT.

BianLian Ransomware Analysis – How Do They Work?

BianLian continues to stick with its original formula, exploiting vulnerabilities to move within breached networks undetected. They utilize custom malware, which can be difficult to reverse-engineer.

Step One: BianLian has shown adaptability to most security defenses and primarily seeks to build a Go-based backdoor within the targeted network. Once this is established, the gang members will leverage internal software like PowerShell to create lateral movements within, then they will use customer malware in conjunction with a command and control (C2) server to create several backdoor options in case of disruption.

Step Two: BianLian then seeks the most valuable data hidden within the targeted network and has a history of encrypting this information. They will limit opportunities to observe these internal actions by avoiding pinging targets and choosing to use the command ‘arp’ where the target is most responsive.

Step Three: Once BianLian locks onto a host, they implement Living of the Land (LOL) techniques like net.exe to adjust permissions, firewall policies and other security policies.

Step Four: Finally, once the threat actor is ready to begin encrypting data, they begin behaving aggressively and attack any security defense in the way.

However, while this group previously favored encrypting stolen data to then ransom, Avast recently released a free decryptor for BianLian’s victims.

A Shift From Encryption To Extortion

Organizations looking to defend themselves against ransomware groups like BianLian, those making the switch from encryption to extortion, should understand that these threat actors are no longer just stealing data. They are targeting specific information to be leveraged, like Personal Identifiable Information (PII) and Personal Health Information (PHI), under leak threats.

While most ransomware groups continue to use encryption methods, more threat actor groups are making the move towards encryption-less techniques.

As more organizations develop and publicly release these decryptors, more threat actors groups may switch gears to a more dangerous tactic: data-leak extortion.

Ransomware Prevention: How Can CISOs and Their Organizations Defend Against BianLian Ransomware?

Specifically, those in the healthcare industry can find more information about the best practices the United States suggests regarding data protection from our blog discussing the Diaxin Ransomware Group.

However, CISOs and security advisors in any industry should be wary of extortion attacks. Groups like BianLian will steal valuable data and threaten to leak it publicly or sell it to the highest dark web bidder. In some cases, despite paying the demanded ransom, double extortion may occur where these groups will extort organizations and individuals further.

Portal26’s multi-use solutions support all industries and verticals, including healthcare. By using Portal26, CISOs and their organizations can ensure existing systems are secure against ransomware, data exfiltration and extortion.

With six security-preserving modules that deliver strong data protection across the enterprise, Portal26’s 10-in-1 security solution can provide enterprises with an effective shield against cyberattacks like ransomware and extortionware. Regardless of network compromise, attackers are incapable of decrypting sensitive data; thus the blast radius from exfiltration attacks is eliminated.

Portal26’s Ransomware Prevention Offerings

Portal26 FileShare Security: Portal26 FileShare provides always-on encryption for file servers and other file-sharing platforms. Portal26 ensures that all files are always secured with NIST FIPS 140-2 validated strong encryption and unencrypted data is not available directly from the file share regardless of privilege. Since data is encrypted before it lands, ransomware actors cannot access unencrypted data even if they are inside the firewall and moving laterally without restriction. The data release is strongly governed via policy, can be released in a number of private formats, can be rate limited, and can be plugged into other access controls as required. 

Portal26 Object Store Proxy: Portal26 Proxy provides transparent application-level NIST FIPS 140-2 validated encryption for cloud object stores. Whereas native cloud platform encryption secures data from compromise on the cloud provider, encrypting with Portal26 ensures ransomware protection and complete data security if the enterprise themselves are victims of an attack. Portal26 supports privacy-enabled data release in nine secure and private formats as well as full-featured searches on encrypted data. The Portal26 Proxy bolts onto the non-extensible legacy, or fragile, systems and transparently directs sensitive data in and out according to security or privacy policy. Portal26 Proxy is available for both AWS and Azure environments.

Portal26 Vault: Portal26 Vault is a stand-alone data vault that can store and analyze structured and unstructured data, all while retaining strong NIST FIPS140-2 encryption without decrypting data at any time, including in memory or under the hood. With backup in place and strong encryption-in-use, Portal26 Vault is immune to cyberattacks, including ransomware. The Portal26 Vault also wins against traditional tokenization solutions by providing all the capabilities of tokenization with the added benefit of rich data usability. If used for tokenization, the Portal26 Vault can secure any type of existing datastore or existing applications and also build ground-up systems that are natively immune to data compromise. Data can be released from the Vault in nine different privacy-preserving formats so that downstream systems are also protected from ransomware attacks and insider threats.

Portal26 Plugin: Portal26 Plugin protects sensitive data inside major enterprise search platforms without limiting full-featured search capabilities or deprecating search performance. Portal26 Plugin is available for all versions of Elasticsearch, OpenDistro, and OpenSearch on AWS/Azure. The Portal26 plugin can be up and running on enormous big-data clusters within hours. Data inside the Portal26-protected platforms cannot be exfiltrated in clear text, even if the cluster is compromised during a ransomware attack, insider attack,  or left exposed by accident.

Portal26 API/Translation service: Portal26’s API service can stand alone or integrate with any of the other Portal26 products to yield a high-performing data translation service. The Portal26 Translation Service can be used independently to make existing applications resistant to ransomware and other data-related cyberattacks. It can also ensure that protected data leaving other Portal26 products can be easily translated into clear text or other private formats by downstream applications. From the nine secure and private formats (including searchable encryption) and types of data, including keywords, text, numbers, dates, IP Addresses, Binary and PII-specific data types, the Portal26 API enables other Portal26-protected systems to be completely locked down, aligned with the Zero Trust Data security standard.

Portal26 Studio: Finally, the Studio provides an interface for managing other Portal26 products. It provides dashboards, reports, and granular compliance certifications in the event of a successful attack. Uniquely, the Portal26 Studio gives CISOs critical post-attack documentation as they can use Portal26 Studio reports as auditable evidence that their data retained encryption throughout the attack.

Highlights of the product’s capabilities include:

• Protection from the most common and highly damaging types of ransomware attacks involving data exfiltration. These include large-scale unstructured and structured data exfiltration using privileged credentials.
• Strong security benefits without performance penalty. Portal26’s data ingest overhead is under 5% when compared to clear text and Portal26 runs search with 0% overhead. Depending on the volume of data, the storage overheads are typically 15%. Portal26’s closest comparable solutions, suffer from exceedingly large compute (500% overhead) and storage (10,000% overhead) requirements.
• Portal26’s ability to release data in an application-friendly manner minimizes the need for application changes.
• Portal26 has been built to perform at an enormous data scale without loss of performance, handling petabytes of data and millions of keys with ease.
• Portal26 provides post-attack support for those who suffer a cyber attack. Uniquely, in the event of an attack, the software provides a report with visibility into any data that was observed, accessed, or exfiltrated. This offers auditable evidence that the data retained encryption. This helps avoid ransom payouts and also reduces liability, penalty, and notification obligations for regulated industries, private companies, and all who have a duty to their users to protect data.

To avoid falling victim to BianLian Ransomware, you can learn more about Portal26’s six ransomware prevention security modules here. Security professionals can also schedule a demo to get a deeper understanding of Portal26’s converged data security platform.

Get Started Today! >