BianLian Ransomware Gang Continues to Evolve
Since our initial report on the ransomware group known as BianLian, we have continued to keep an eye on their activities. Unfortunately, and sadly not surprisingly, the group continues to operate and add to their ever-growing list of victims. Having continued to research BianLian for the past six months or so, we felt the time was right to share an update and some of our findings with the larger community.
In short, BianLian continues to exhibit a high level of operational security and skill in network penetration, seeming to have also found their stride in the pace of their operations. At the same time, the group has been improving their ability to operate the business side of a ransomware organization. Yet perhaps most notably, BianLian has shifted the main focus of their attacks away from ransoming encrypted files to focus more on data-leak extortion as a means to extract payments from victims. Furthermore, they have been attempting to amplify the effectiveness of these extortion threats by tailoring the messages delivered to specific victims in an effort to increase the pressure felt by the organizations.
Same Tactics and Techniques
Much like the old adage “If it ain’t broke, don’t fix it”, BianLian continues to use very similar Tactics, Techniques, and Procedures (TTPs) that were detailed in our first report to perform their initial access and lateral movement within a victim’s network. The group continues to maintain and deploy their custom backdoor, written in Go, which provides another means of remote access to a compromised network. While BianLian has made small tweaks here and there to their backdoor such as updating various support libraries and attempting to better hide in plain sight in some scenarios, the core functionality of their backdoor remains unchanged.
Command and Control Infrastructure
As we’ve learned more from watching the group, we have been able to get a better understanding of the temporal relationship of how BianLian will typically bring a command and control (C2) server online relative to the deployment of their custom backdoor. We have observed multiple instances where BianLian has compiled a backdoor within minutes of when they bring a C2 server online. Sometimes, the binary is created before the C2 is live while in other instances the order is reversed. With such a tight coupling of infrastructure and malware deployment, by the time a BianLian C2 is discovered it is likely that the group has already established a solid foothold into a victim’s network.
In terms of numbers, BianLian appears to have found their stride in the number of C2’s they require to sustain their operations. As figure 1 illustrates, the group appears to bring close to 30 new C2 servers online each month. Thus far in the first half of March, BianLian continues at pace, having already brought 11 new C2 servers online. With an average C2 lifespan of approximately two weeks, the total number of active C2 servers online at any given time is always in flux.
Less Encryption, More Extortion
Perhaps one of the most interesting changes we’ve seen BianLian make to their operations is how they appear to have responded to Avast’s release of a decryption tool that would allow a victim of BianLian to decrypt and recover their files. While BianLian was quick to acknowledge the release of the decryption tool with a short and somewhat terse response posted on their leak site, the group has since chosen to remove the note (shown below for posterity.)
“If you have questions about Avast’s decryptor, you need to know that for each company we create an unique key. Avast published their decrypt tool for build released at summer 2022. It will corrupt any files encrypted by another builds.
For most companies we don’t use crypt and give to managers the opportunity to decide their security issues without notifying lawyers and government departments.
They have the right to decide themselves because third parties force them to company’s suicide.
After these notifications and cooperation company lose reputation and get financial losses in most cases.
So we recommend to write us ASAP and don’t lose time”
The release of the tool appears to have brought about a shift in how BianLian attempts to monetize the successful compromise of a victim. Rather than follow the typical double-extortion model of encrypting files and threatening to leak data, we have increasingly observed BianLian choosing to forgo encrypting victims’ data and instead focus on convincing victims to pay solely using an extortion demand in return for BianLian’s silence. The group promises that after they are paid, they will not leak the stolen data or otherwise disclose the fact the victim organization has suffered a breach. BianLian offers these assurances based on the fact that their “business” depends on their reputation.
“Our business depends on the reputation even more than many others. If we will take money and spread your information- we will have issues with payments in future. So, we will stick to our promises and reputation. That works in both ways: if we said that we will email all your staff and publicly spread all your data- we will.”
While the tactics (email, phone calls, and general harassment) and threats (release of stolen data, reputation damage, and embarrassment) BianLian employs to try and and extract a payment are similar with other ransomware groups, we have seen BianLian take the time to do their research to tailor the threat to their victims. In several instances, BianLian made reference to legal and regulatory issues a victim would face were it to become public that the organization had suffered a breach. The group has also gone so far as to include specific references to the subsections of several laws and statutes. While the applicability of the laws (to the victim and their data) referenced by BianLian would need to be assessed by the courts, at first glance, the laws referenced by the actors did in fact correspond to the jurisdiction where the victim was located. This attention to detail shows that the criminal gang is taking the extra time to tailor threats to their victims to maximize the pressure to pay the ransom.
As if harassing messages and references to seemingly accurate legal issues weren’t enough, BianLian has also increased the frequency in their use of a tactic popular among some ransomware groups: the posting of masked victim details to their leak site. In these scenarios, the ransomware group will post varying degrees of detail about a victim organization, typically masking all but a few letters from the company’s name while at the same time including high level details such as the victim’s industry vertical, geographical location, and revenue numbers.
While BianLian was known to use the masked victim pressure tactic prior to the release of the free decryption tool, the group’s use of the technique has exploded after the release of the tool. Between July 2022 and mid-January 2023, BianLian posted the masked details of victims 14 times. This accounted for 16% of the postings to their leak site during the nearly seven-month timeframe. In just the two months after the decryptor was released, BianLian has already posted details on 22 masked victims, accounting for over half of their postings at 53%.
The speed at which BianLian posts the masked details has also increased over time. If one is to accept the Date of Compromise listed by BianLian as accurate (is there honor amongst thieves?), the group averages just ten days from an initial compromise to ratcheting up the pressure on a victim by posting masked details. In some instances, BianLian appears to have posted masked details within 48 hours of a compromise.
With this shift in tactics, a more reliable leak site, and an increase in the speed of leaking victim data, it appears that the previous underlying issues of BianLian’s inability to run the business side of a ransomware campaign appear to have been addressed. Unfortunately, these improvements in their business acumen are likely the result of gaining more experience through their successful compromise of victim organizations.
In the ransomware space, the exact number of victims can never truly be known. However, as of March 13, 2023, BianLian details 118 victim organizations on their leak site. The group continues to take the time to categorize the industry vertical of their victims and tag the corresponding data. When looking at the data, as labeled by BianLian themselves, it is unfortunate to note that organizations that fall under the broader category of Healthcare represent the single largest industry vertical victimized by the group.
And while ransomware is an issue faced by organizations across the globe, in the case of BianLian, the overwhelming majority of their victims are those located within the United States.
As we track BianLian’s activities, we continue to gather evidence for attribution. While we have a working theory based on some promising indicators, we believe it would be irresponsible to make any public statements at this time. We value our analytic integrity and will wait until we have enough high-confidence evidence before making any statements of attribution.
Indicators of Compromise
|IP Address||First Seen|
|IP Address||First Seen||Last Seen|
|102.129.214[.]35||Mid October||Late October|
|103.199.17[.]27||Mid December||Mid January|
|103.20.235[.]122||Late October||Early December|
|103.20.235[.]188||Early September||Late September|
|104.200.67[.]156||Late January||Mid February|
|104.200.67[.]244||Early February||Early March|
|104.200.67[.]31||Early December||Mid January|
|104.200.73[.]239||Early February||Early March|
|104.216.17[.]42||Early October||Early November|
|104.217.8[.]125||Mid November||Mid December|
|104.225.168[.]249||Late January||Mid February|
|104.238.35[.]146||Early November||Mid December|
|104.238.57[.]205||Late November||Late December|
|104.238.61[.]153||Late October||Early November|
|104.238.61[.]218||Mid October||Late November|
|104.255.168[.]249||Mid January||Mid February|
|138.124.183[.]149||Late January||Early March|
|139.177.146[.]46||Early December||Late December|
|139.177.146[.]46||Early December||Late December|
|139.99.176[.]57||Mid November||Mid December|
|139.99.52[.]102||Late January||Early March|
|142.202.205[.]89||Late October||Early December|
|144.208.127[.]155||Early December||Mid January|
|144.208.127[.]18||Early February||Early March|
|146.19.173[.]121||Late October||Mid November|
|146.59.102[.]74||Late September||Late October|
|146.70.161[.]27||Mid December||Mid January|
|146.70.87[.]197||Mid September||Mid October|
|146.71.81[.]102||Mid October||Mid November|
|149.154.158[.]120||Early January||Early February|
|149.154.158[.]153||Late January||Early March|
|149.154.158[.]154||Early December||Mid January|
|149.154.158[.]56||Early January||Early February|
|15.188.49[.]63||Mid February||Late February|
|157.254.194[.]223||Early February||Early March|
|158.247.200[.]185||Late September||Late September|
|158.255.215[.]58||Late October||Late November|
|162.33.177[.]94||Late September||Late October|
|167.114.188[.]41||Late September||Late October|
|172.96.137[.]114||Mid September||Late September|
|172.96.137[.]153||Mid December||Late January|
|172.96.137[.]220||Mid January||Late February|
|172.96.137[.]224||Early November||Early December|
|172.96.137[.]249||Mid December||Mid January|
|172.96.137[.]29||Mid December||Late January|
|172.96.188[.]109||Late October||Early December|
|172.96.188[.]52||Early September||Late September|
|172.96.189[.]158||Mid November||Late December|
|173.254.204[.]78||Mid December||Early January|
|173.44.226[.]73||Late December||Late January|
|18.159.131[.]209||Late January||Mid February|
|185.214.10[.]116||Mid January||Mid February|
|185.243.112[.]166||Late January||Late February|
|185.243.115[.]30||Mid December||Mid January|
|185.56.137[.]117||Mid December||Early January|
|188.34.155[.]224||Early November||Late November|
|192.161.48[.]60||Early December||Early February|
|192.169.6[.]79||Late December||Late January|
|192.52.167[.]135||Late September||Mid October|
|194.71.227[.]52||Late October||Late November|
|195.201.127[.]139||Late October||Mid November|
|198.252.101[.]244||Mid October||Late November|
|198.252.109[.]40||Late December||Early February|
|198.252.109[.]57||Early December||Mid January|
|198.252.109[.]78||Late October||Early December|
|206.189.128[.]5||Early October||Mid November|
|208.123.119[.]230||Late January||Late February|
|208.123.119[.]240||Mid November||Mid December|
|208.123.119[.]48||Mid November||Mid December|
|209.182.225[.]124||Late December||Late January|
|212.46.38[.]118||Mid October||Mid November|
|216.120.201[.]107||Mid November||Mid December|
|216.146.25[.]60||Late January||Early March|
|217.195.153[.]177||Late December||Early February|
|23.163.0[.]168||Mid November||Early December|
|23.229.117[.]247||Early December||Late January|
|3.134.86[.]154||Late January||Late February|
|35.183.14[.]149||Mid February||Late February|
|37.220.31[.]104||Late December||Early November|
|37.220.31[.]17||Late January||Mid January|
|37.235.54[.]42||Late October||Early December|
|37.235.54[.]52||Early November||Late November|
|44.212.9[.]14||Late January||Late February|
|45.128.156[.]10||Late January||Late February|
|45.128.156[.]3||Mid December||Late November|
|45.128.156[.]43||Early January||Early January|
|45.145.186[.]188||Early February||Early March|
|45.33.119[.]19||Early February||Mid February|
|45.56.165[.]17||Late September||Late September|
|45.61.136[.]152||Early September||Late September|
|45.66.249[.]118||Late December||Late January|
|45.86.230[.]64||Early October||Late October|
|46.246.96[.]53||Mid November||Mid December|
|5.230.70[.]23||Late September||Late September|
|5.230.72[.]245||Mid February||Mid March|
|5.230.73[.]234||Mid January||Mid February|
|5.230.73[.]37||Mid December||Mid January|
|51.222.96[.]1||Mid November||Mid December|
|52.87.206[.]242||Late December||Mid January|
|54.227.224[.]229||Early March||Mid March|
|66.85.147[.]22||Late November||Late December|
|72.11.134[.]215||Early December||Early January|
|81.17.28[.]71||Early November||Early December|
|85.239.52[.]96||Late December||Mid November|
|85.239.53[.]168||Late September||Late September|
|96.44.135[.]76||Mid October||Early November|
|96.44.156[.]206||Early January||Mid February|
|96.44.157[.]203||Mid December||Mid February|
If you need help reducing your risk of ransomware attacks and minimizing the impact they can have on your organization if they do occur, [redacted] stands ready to help. We have a passion for helping our clients to become tangibly more secure. We enable them to prevent most cyber incidents and be well prepared for emergencies that can’t be avoided. We have the depth of experience and expertise required to ensure that the solutions we provide are effective for your organization’s specific needs.
Lauren is a Senior Threat Researcher at [redacted] where she enjoys hunting for bad guys by understanding their tradecraft and infrastructure. Lauren holds a BS in Mathematics from The Ohio State University, a MS in Cyber Operations from the Air Force Institute of Technology, and a Ph.D. in Computer Science from the University of Tulsa.
Senior Threat Intelligence Analyst at [redacted] who spends his days trying to find the badness lurking in the tubes.
Danny Quist is the Director of Special Projects at [redacted]. He works on the research team developing new methods of reverse engineering, machine learning, and malware detonation. Previously he has worked for MIT Lincoln Laboratory and Los Alamos National Laboratory. He has presented at Blackhat, RSA, Defcon, and DFRWS.