The BianLian ransomware group, known for encrypting victims’ files and demanding ransom for decryption, has shifted its focus to only exfiltrating data found on compromised networks and using it for extortion.
This operational change was reported by cybersecurity company Redacted, which noted that the group is attempting to craft its extortion skills and increase pressure on victims. BianLian, which first appeared in July 2022, had successfully breached multiple high-profile organizations before Avast released a free decryptor in January 2023 to help victims recover their encrypted files.
Redacted found that BianLian is keeping its initial access and lateral movement techniques the same and deploying a custom Go-based backdoor to gain remote access to the compromised device. The group now attempts to monetize its breaches by threatening to leak the stolen data instead of encrypting the victim’s files.
After posting their victims on their extortion site, the group gives them ten days to pay the ransom. As of March 13, 2023, BianLian has listed a total of 118 victim organizations on its extortion portal, with the majority being US-based companies.
BianLian promises not to leak the stolen data or disclose the fact that the victim organization has suffered a breach once it is paid.
The group has also made references to legal and regulatory issues that a victim would face if it were to become public that the organization had suffered a breach.
Redacted has found that in many cases, the law references made by BianLian operators were applicable in the victim’s region, indicating that the threat actors are honing their extortion skills by analyzing a victim’s legal risks to formulate strong arguments.
While encrypting files, data theft, and threatening to leak stolen files is known as a “double extortion” tactic, ransomware groups have realized that, in many cases, sensitive data leaks are an even stronger payment incentive for victims.
This has given birth to encryption-less ransomware operations such as Babuk and SnapMC and extortion operations that claim not to engage in file encryption themselves or at all, like RansomHouse, Donut, and Karakurt.
However, most ransomware groups continue using encryption payloads in their attacks, as the business disruption caused by encrypting devices puts even greater pressure on many victims.
