Unit 42 researchers from Palo Alto Networks’ research group have been tracking the BianLian ransomware group, which has been in the top 10 of the most active groups based on leak site data Unit 42 has gathered.
The BianLian group has been extremely active ever since it emerged in 2022, with new organizations compromised by the group being reported on their leak site almost on a weekly basis.
BianLian group impacts mainly the healthcare, manufacturing, professional and legal services sectors. The group shares a small custom .NET tool with the Makop ransomware group, which indicates a possible connection between the two groups.
The group’s leak site indicates that BianLian might be expanding by hiring new developers and affiliates, as noted in the “Work with us” section from the group’s homepage.
BianLian recently moved from a double extortion scheme of encrypting their victims’ assets, stealing data, and threatening to publish it if they do not pay the ransom to a main focus of extortion without encryption.
To infiltrate corporate networks, BianLian operators often perform the following activities:
- Use stolen Remote Desktop Protocol (RDP) credentials
- Exploit the ProxyShell vulnerability
- Target virtual private network (VPN) providers
- Use other previously reported techniques such as deploying web shells
The Unit 42 Incident Response team has responded to several BianLian ransomware incidents since September 2022.
Palo Alto Networks customers are better protected against ransomware used by the BianLian ransomware group through Cortex XDR, as well as by Cloud-Delivered Security Services for the Next-Generation Firewall such as WildFire and Advanced URL Filtering. Notably, the Prisma Cloud Defender should be deployed on cloud-based Windows virtual machines to ensure they are protected. Cortex Xpanse is able to provide visibility that can prove valuable for proactive protection.
