Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Critical Infrastructure Organizations Warned of BianLian Ransomware Attacks

CISA, FBI, and ACSC warn critical infrastructure organizations of the BianLian ransomware group’s attacks.

The US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Australian Cyber Security Centre (ACSC) are warning critical infrastructure organizations of the BianLian ransomware group’s attacks.

Active since at least June 2022, the gang has been observed gaining access to victim networks via remote desktop protocol (RDP) credentials that were likely acquired from initial access brokers or via phishing attacks.

For the past year, the BianLian gang has targeted multiple critical infrastructure organizations in the US, as well as private entities in Australia, including a critical infrastructure organization, CISA, FBI, and ACSC say.

Starting January 2023, the group was seen mainly focusing on data exfiltration and no longer deploying file-encrypting ransomware on victims’ systems.

After gaining access to a network, the group deploys a custom Go-based backdoor specific to each victim and installs remote management and access software such as Atera Agent, AnyDesk, SplashTop, and TeamViewer.

The BianLian group was also observed creating administrator accounts, changing passwords for existing accounts, disabling antivirus software, and modifying Windows registries to disable and uninstall Sophos endpoint protection solutions.

To perform reconnaissance, the group uses tools such as Advanced Port Scanner, SoftPerfect Network Scanner, SharpShares, PingCastle, and Impacket, along with command-line scripting.

Advertisement. Scroll to continue reading.

BianLian also relies on LSASS memory dumps and command-line scripting for credential harvesting, and uses RDP Recognizer to brute force RDP passwords or identify RDP vulnerabilities.

For lateral movement, the gang was seen using PsExec and RDP with valid credentials. It added a user account to the Remote Desktop Users group, and modified the account’s password and firewall rules to allow RDP traffic.

In one case, the group exploited the Netlogon vulnerability (CVE-2020-1472) and connected to an Active Directory domain controller.

Victims’ data is typically harvested using PowerShell scripts. The data is then exfiltrated over FTP and via tools such as Rclone. In Australia, the group was seen using the Mega file-sharing service for data exfiltration.

In the attacks where ransomware was deployed and executed, the .bianlian extension was appended to the encrypted files. The deployed ransom notes informed victims that the ransomware searched for, encrypted, and exfiltrated business, client, financial, technical, and personal files.

The BianLian group threatens to publish the exfiltrated data on a leak site. Victims are told to contact the group via Tox chat and to pay a ransom in cryptocurrency. To pressure victims into paying, the group would print the ransom note on the company’s printers and would contact employees via phone.

CISA, FBI, and ACSC encourage organizations to audit the use of RDP and other remote access tools, to disable command-line scripting, restrict PowerShell usage, control software execution, audit user accounts, keep all systems and software updated, implement strong authentication practices, maintain offline backups and implement a recovery plan.

Related: CISA, FBI: Ransomware Gang Exploited PaperCut Flaw Against Education Facilities

Related: CISA Gets Proactive With New Pre-Ransomware Alerts

Related: CISA Program Warns Critical Infrastructure Organizations Vulnerable to Ransomware Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.


The City of Oakland has disclosed a ransomware attack that impacted several non-emergency systems.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


The personal and health information of more than 3.3 million individuals was stolen in a ransomware attack at Regal Medical Group.