FBI says BianLian based in Russia, moving from ransomware attacks to extortion

Avatar

BianLian ransomware actors are likely based in Russia and have multiple Russia-based affiliates, according to new information shared by the FBI and Australian law enforcement. 

BianLian has drawn scrutiny for attacks on charities like Save The Children as well as healthcare firms like Boston Children’s Health Physicians. On Tuesday, the gang took credit for an attack on Amherstburg Family Health Team — a Canadian healthcare company that said it is currently experiencing delays due to technical issues with its phone system. 

The FBI and Australian Cyber Security Centre on Wednesday published an updated advisory on the group, warning that the gang has shifted its tactics and is now moving toward extorting companies with stolen data instead of fully encrypting systems. The group has exclusively focused on exfiltration-based extortion since January.

The advisory notes that like many ransomware gangs, the likely Russia-based group has used its name “to misattribute location and nationality by choosing foreign-language names, almost certainly to complicate attribution efforts.” 

The group has been seen targeting public-facing applications of both Windows and ESXi infrastructure, possibly leveraging the popular ProxyShell vulnerabilities — CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 — to gain initial access.

The agencies also saw BianLian actors exploiting vulnerabilities like CVE-2022-37969, which affects Windows 10 and 11. 

The group uses a range of other tools to move through breached systems, steal data and cause confusion among incident responders trying to stop them. 

In one instance, the agencies saw BianLian create multiple administrator accounts within a victim’s system to more easily move across a network and maintain access. 

Before 2024, the group typically used an encryptor to change all affected files into having the .bianlian extension. The encryptor also created a ransom note.

“Newer ransomware notes state BianLian group has exfiltrated data and threaten to leak the exfiltrated data if the ransom is not paid,” the FBI said.  

“The ransom notes provide the Tox ID…which directs the victim organization to a Tox chat and includes an alternative contact email addresses n0torious@onionmail[.]org and xwikipedia@onionmail[.]org.”

The group has also sought to put further pressure on victims by printing ransom notes in company printers and by even calling employees to threaten them. 

Two weeks ago, the UN Security Council held a hearing on ransomware where the head of the UN health agency spoke at length about the outstanding danger ransomware attacks pose to international security.

“Let’s be clear… ransomware and other cyberattacks on hospitals and other health facilities are not just issues of security and confidentiality; they can be issues of life and death,” he stressed.

White House official Anne Neuberger, who represented the U.S. at the meeting, said about $1.3 billion in ransoms were paid in the U.S. alone in 2023.

CybercrimeIndustryNewsTechnology
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

 

Total
0
Shares
Previous Post

Two brothers indicted for operating illegal sports streaming service that netted $7 million

Next Post

Chinese APT Gelsemium Targets Linux Systems with New WolfsBane Backdoor

Related Posts

U.S. and Microsoft Seize 107 Russian Domains in Major Cyber Fraud Crackdown

Microsoft and the U.S. Department of Justice (DoJ) on Thursday announced the seizure of 107 internet domains used by state-sponsored threat actors with ties to Russia to facilitate computer fraud and abuse in the country. "The Russian government ran this scheme to steal Americans' sensitive information, using seemingly legitimate email accounts to trick victims into revealing account credentials
Avatar
Read More

THN Recap: Top Cybersecurity Threats, Tools, and Practices (Nov 11 – Nov 17)

What do hijacked websites, fake job offers, and sneaky ransomware have in common? They’re proof that cybercriminals are finding smarter, sneakier ways to exploit both systems and people. This week makes one thing clear: no system, no person, no organization is truly off-limits. Attackers are getting smarter, faster, and more creative—using everything from human trust to hidden flaws in
Avatar
Read More