FBI says BianLian based in Russia, moving from ransomware attacks to extortion

Avatar

BianLian ransomware actors are likely based in Russia and have multiple Russia-based affiliates, according to new information shared by the FBI and Australian law enforcement. 

BianLian has drawn scrutiny for attacks on charities like Save The Children as well as healthcare firms like Boston Children’s Health Physicians. On Tuesday, the gang took credit for an attack on Amherstburg Family Health Team — a Canadian healthcare company that said it is currently experiencing delays due to technical issues with its phone system. 

The FBI and Australian Cyber Security Centre on Wednesday published an updated advisory on the group, warning that the gang has shifted its tactics and is now moving toward extorting companies with stolen data instead of fully encrypting systems. The group has exclusively focused on exfiltration-based extortion since January.

The advisory notes that like many ransomware gangs, the likely Russia-based group has used its name “to misattribute location and nationality by choosing foreign-language names, almost certainly to complicate attribution efforts.” 

The group has been seen targeting public-facing applications of both Windows and ESXi infrastructure, possibly leveraging the popular ProxyShell vulnerabilities — CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 — to gain initial access.

The agencies also saw BianLian actors exploiting vulnerabilities like CVE-2022-37969, which affects Windows 10 and 11. 

The group uses a range of other tools to move through breached systems, steal data and cause confusion among incident responders trying to stop them. 

In one instance, the agencies saw BianLian create multiple administrator accounts within a victim’s system to more easily move across a network and maintain access. 

Before 2024, the group typically used an encryptor to change all affected files into having the .bianlian extension. The encryptor also created a ransom note.

“Newer ransomware notes state BianLian group has exfiltrated data and threaten to leak the exfiltrated data if the ransom is not paid,” the FBI said.  

“The ransom notes provide the Tox ID…which directs the victim organization to a Tox chat and includes an alternative contact email addresses n0torious@onionmail[.]org and xwikipedia@onionmail[.]org.”

The group has also sought to put further pressure on victims by printing ransom notes in company printers and by even calling employees to threaten them. 

Two weeks ago, the UN Security Council held a hearing on ransomware where the head of the UN health agency spoke at length about the outstanding danger ransomware attacks pose to international security.

“Let’s be clear… ransomware and other cyberattacks on hospitals and other health facilities are not just issues of security and confidentiality; they can be issues of life and death,” he stressed.

White House official Anne Neuberger, who represented the U.S. at the meeting, said about $1.3 billion in ransoms were paid in the U.S. alone in 2023.

CybercrimeIndustryNewsTechnology
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

 

Total
0
Shares
Previous Post

Two brothers indicted for operating illegal sports streaming service that netted $7 million

Next Post

Chinese APT Gelsemium Targets Linux Systems with New WolfsBane Backdoor

Related Posts

New Brazilian-Linked SambaSpy Malware Targets Italian Users via Phishing Emails

A previously undocumented malware called SambaSpy is exclusively targeting users in Italy via a phishing campaign orchestrated by a suspected Brazilian Portuguese-speaking threat actor. "Threat actors usually try to cast a wide net to maximize their profits, but these attackers are focused on just one country," Kaspersky said in a new analysis. "It's likely that the attackers are testing the
Avatar
Read More

The Mask APT Resurfaces with Sophisticated Multi-Platform Malware Arsenal

A little-known cyber espionage actor known as The Mask has been linked to a new set of attacks targeting an unnamed organization in Latin America twice in 2019 and 2022. "The Mask APT is a legendary threat actor that has been performing highly sophisticated attacks since at least 2007," Kaspersky researchers Georgy Kucherin and Marc Rivero said in an analysis published last week. "Their targets
Avatar
Read More