On November 20, 2024, three agencies updated their joint advisory originally published in May 2023 as part of the #StopRansomware effort.
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) published the original advisory to “disseminate known BianLian ransomware and data extortion group indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) identified through FBI and ASD’S ACSC investigations.”
According to the update, “BianLian group actors have affected organizations in multiple U.S. critical infrastructure sectors since June 2022. They have also targeted Australian critical infrastructure sectors in addition to professional services and property development. The group gains access to victim systems through valid Remote Desktop Protocol (RDP) credentials, uses open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrates victim data via File Transfer Protocol (FTP), Rclone, or Mega. BianLian then extorts money by threatening to release data if payment is not made. BianLian group originally employed a double-extortion model in which they encrypted victims’ systems after exfiltrating the data; however, they shifted primarily to exfiltration-based extortion around January 2023 and shifted to exclusively exfiltration-based extortion around January 2024.”
The agencies recommend the following actions to ease cyber threats from BianLian data extortion:
· “Strictly limit the use of RDP and other remote desktop services.
· Disable command-line and scripting activities and permissions.
· Restrict usage of PowerShell and update Windows PowerShell or PowerShell Core to the latest version.”
