TLP: CLEAR
Recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction.
https://www.first.org/tlp/
Summary: CISA, the Federal Bureau of Investigation (FBI), and the Australian Cyber Security Centre (ACSC) have released a joint Cybersecurity Advisory (CSA) with known BianLian ransomware and data extortion group technical details(weblink below). Microsoft and Sophos contributed to the advisory. To reduce the likelihood and impact of BianLian and other ransomware incidents, CISA encourages organizations to implement mitigations recommended in this advisory. Mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). This joint CSA is part of CISA’s ongoing #StopRansomware effort.
Joint Cybersecurity Advisory: hxxps://www.cisa[.]gov/news-events/alerts/2023/05/16/cisa-and-partners-release-bianlian-ransomware-cybersecurity-advisory
NYSIC CAU Analyst Note: BianLian gains initial access through valid Remote Desktop Protocol credentials, and uses open-source tools and command-line scripting for discovery and credential harvesting. Victim data is exfiltrated via File Transfer Protocol, Rclone, or Mega, which the actors then use to extort money from the victims. BianLian initially employed a double-extortion model, but in January 2023 shifted to primarily exfiltration-based extortion. BianLian ransomware is written in Go and uses techniques such as T1005 and T1486 to gain access to systems. It has been known to encrypt files and demand payment in exchange for decryption. In some cases, it has also been observed stealing data and threatening to leak it if the ransom is not paid. A free decryptor for BianLian ransomware was released by Avast in January 2023 (weblink below). The group has also been known to threaten to leak stolen data on their respective extortion blogs as part of the double-extortion “name and shame” technique. The malware has been active at least since 2022, and its attacks continue to pose a threat to organizations worldwide.
Avast BianLian Decryptor: hxxps://decoded.avast[.]io/threatresearch/decrypted-bianlian-ransomware/
Author: CISA, FBI, and ACSC
This information has been forwarded by NYSIC to:
NYSIC CAU Contacts – CPWG
NYSIC CAU Contacts – OCT-CIP
NYSIC CAU Contacts – DHSES CIRT
NYSIC CAU Contacts – ITS EISO
NYSIC CAU Contacts – SLTT
NYSIC CAU Contacts – County Information Contacts
NYSIC CAU Contacts – Critical Infrastructure Partners: All
For more information, please contact the NYSIC Cyber Analysis Unit at (518) 786-2191 or CAU@nysic.ny.gov.
TLP: CLEAR
Recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction.
https://www.first.org/tlp/
CONFIDENTIALITY NOTICE: This e-mail, including any attachments, may contain highly sensitive and confidential information. It is intended only for the individual(s) named. If you received this e-mail in error or from someone who was not authorized to send it to you, do not disseminate, copy or otherwise use this e-mail or its attachments. Please notify the sender immediately by reply e-mail and delete the e-mail from your system.