BianLian, a prolific ransomware group, has rapidly expanded since its 2022 debut, employing sophisticated techniques and adapting to evolving threats. Exploiting RDP credentials, ProxyShell, and SonicWall VPN vulnerabilities, they deploy custom Go-based malware, leverage Living Off the Land tactics, and encrypt data for extortion.
Initially focusing on encryption and ransom demands, they transitioned to a double extortion model, stealing data for additional leverage, while its aggressive tactics and ability to adapt make it a significant cyber threat.
The ransomware group experienced a surge in victim postings on its leak site around May 2023, followed by a decline attributed to the release of a BianLian decryptor and improved defenses, which led to a shift from encryption-based attacks to a steal-and-extort model.
However, a slight uptick in victim postings occurred in early 2024, suggesting potential adjustments in the group’s tactics or a decrease in overall security measures within targeted organizations.
It has exposed over 90 new victims since early 2024, prioritizing high-value sectors with sensitive data for maximum extortion impact, while legal services and healthcare comprise 42% of victims due to data sensitivity and critical operations.
Engineering follows at 12.9%, likely due to valuable intellectual property and infrastructure reliance. A broader attack surface includes Finance, Accounting, Logistics, Manufacturing, and various other industries, demonstrating BianLian’s opportunistic targeting across multiple sectors.
BianLian ransomware uses TLS-encrypted C2 servers with uniquely formatted certificates, identifiable by specific patterns in their subject and issuer fields.
A surge in discovered C2 servers around mid-January 2024 correlates with a subsequent increase in victim numbers, suggesting that expanded C2 infrastructure supported a large-scale attack campaign and also exploited TeamCity servers and deployed a PowerShell backdoor during this period.
BianLian’s C2 servers in 2023 heavily utilized standard HTTPS ports (443, 8443) for command and control traffic, mimicking legitimate web communication. To evade detection, the group also employed a diverse range of “other” ports for C2 channels.
In 2024, it strategically distributed its C2 servers across multiple Autonomous System Numbers, including major providers like Chang Way Technologies and M247 Europe SRL, and a significant portion on unspecified networks, indicating a deliberate effort to diversify infrastructure and hinder detection.
The Go backdoor functions as a loader, downloading and executing additional payloads. Using a hardcoded C2 server, it maintains persistent communication for command and control.
According to Juniper Networks, it leverages Go modules mimux and soso, similar to Yamux and go-socks5, and recent versions utilize a Logger function for enhanced logging.
Threat hunting can be conducted using VirusTotal searches, focusing on the “topcorner” family and unique Go libraries like soso/resolver.go, while a Linux variant with Amazon EC2 C2 infrastructure was discovered, expanding the backdoor’s platform capabilities.
.webp?w=1200&resize=1200,0&ssl=1&description=BianLian, a prolific ransomware group, has rapidly expanded since its 2022 debut, employing sophisticated techniques and adapting to evolving threats.){kind=link}