A pictorial representation of the BianLian ransomware gang. A hand offers money to another hand holding keys. In the background is a computer screen with the biohazard symbol on it.

This post is also available in:
日本語 (Japanese)

Executive Summary

Unit 42 researchers have been tracking the BianLian ransomware group, which has been in the top 10 of the most active groups based on leak site data we’ve gathered. From that leak site data, we’ve primarily observed activity affecting the healthcare and manufacturing sectors and industries, and impacting organizations mainly in the United States (US) and Europe (EU).

We also observed that the BianLian group shares a small, customized tool in common with the Makop ransomware group. This shared tool indicates a possible connection between the two groups, which we will explore further.

BianLian has also recently moved from a double extortion scheme to one of extortion without encryption. Rather than encrypting their victims’ assets before stealing data and threatening to publish it if they do not pay the ransom, they’re now moving straight to stealing data to motivate victims to pay.

The Unit 42 Incident Response team has responded to several BianLian ransomware incidents since September 2022.

Palo Alto Networks customers are better protected against ransomware used by the BianLian ransomware group through Cortex XDR, as well as by Cloud-Delivered Security Services for the Next-Generation Firewall such as WildFire and Advanced URL Filtering.

In particular, the Cortex XDR anti-ransomware module included out-of-the-box protections that prevented adverse behavior from the ransomware samples we tested without the need for specific detection logic or signatures.

The Prisma Cloud Defender should be deployed on cloud-based Windows virtual machines to ensure they are protected. Cortex Xpanse is able to provide visibility that can prove valuable for proactive protection.

The Unit 42 Incident Response team can also be engaged to help with a compromise or to provide a proactive assessment to lower your risk.

Table of Contents

BianLian Threat Overview
Possible Connection to Makop Ransomware
Technical Analysis
Attack Lifecycle
Initial Access
Credential Dumping
Persistence
Reconnaissance
Encryptor and Backdoor
Conclusion
Protections and Mitigations
Indicators of Compromise
Examples of the BianLian Encryptor
Examples of the BianLian Backdoor
Advanced Port Scanner
.NET Tool
BianLian Command and Control Servers
Additional Resources

BianLian Threat Overview

The BianLian group has been extremely active ever since it emerged in 2022, with new organizations compromised by the group being reported on their leak site almost on a weekly basis. Figure 1 below details their activity throughout 2023, as illustrated by their leak site data.

Image 1 is a graph of BianLian group activity from January to December 2023. The sharpest spike occurs in May and then falls with the lowest point in August. It then starts to climb upward again.
Figure 1. Activity of the BianLian group throughout 2023.

This group impacts mainly the healthcare, manufacturing, professional and legal services sectors. Their attacks have primarily taken place in North America, but they were also seen in the EU and India.

BianLian shares a small custom .NET tool with the Makop ransomware group, which indicates a possible connection between the two groups.

BianLian has moved from a double extortion scheme of encrypting their victims’ assets, stealing data, and threatening to publish it if they do not pay the ransom to a main focus of extortion without encryption.

The group’s leak site indicates that BianLian might be expanding by hiring new developers and affiliates, as noted in the “Work with us” section from the group’s homepage shown below in Figure 2.

Image 2 is a screenshot of the BianLian leak site homepage as of December 2023. BianLian. Categories are Home, Companies, Tags, Contacts. Work with us: targets’ providers, software engineers, pentesters, journalists. Tox: [redacted]. Email: [redacted onion email]. Most of the following text is also redacted.
Figure 2. The BianLian leak site homepage, late December 2023.

The BianLian group regularly updates the list of compromised targets on their leak site. Figure 3 details the most affected countries. While BianLian has impacted organizations all over the world, the US is clearly the most affected country as of 2023.

Image 3 is a heat map of countries impacted by BianLian over 2023. The highest affected country is North America followed by parts of the EU and India.
Figure 3. A map showing the countries impacted by BianLian in 2023.

As detailed in Figure 4 below, healthcare is the sector most affected by the BianLian group, with manufacturing a close second. In January 2023, the group claimed to have exfiltrated 1.7 TB of data, including personal data of patients and employees, from a California-based hospital. Attacks on healthcare organizations are especially concerning because they disrupt hospitals’ day-to-day operations and potentially endanger patients’ lives.

Image 4 is a column graph of all of the industries attacked by BianLian in 2023. The most-attacked sectors are healthcare, manufacturing and professional and legal services.
Figure 4. The distribution of the sectors that BianLian attacked in 2023.

Possible Connection to Makop Ransomware

During our analysis, we noticed a small .NET custom executable was shared between the BianLian and Makop ransomware groups. Both groups also used the same hash of the publicly available Advanced Port Scanner tool.

This .NET tool is responsible for retrieving file enumeration, registry and clipboard data. This tool contains some words in the Russian language, such as the numbers one to four. The use of such a tool indicates that the two groups might have shared a tool set or used the services of the same developers in the past.

A possible – yet not confirmed – explanation for this overlap is that BianLian could be sharing a codebase with the Makop group, or using the services of the same third-party developers. This phenomenon is well-known and documented among certain underground cybercrime groups.

Another noteworthy fact is that the Makop ransomware was documented excluding certain file extensions when encrypting an infected endpoint, including known extensions that are used by other ransomware strains. This is yet another indicator of possible existing relationships among these threat actors, or at least a “not stepping on someone’s toes” approach when it involves other ransomware groups.

Technical Analysis

Attack Lifecycle

We have mapped the attack stages that are common with the BianLian group to the MITRE ATT&CK framework, which is summarized below.

Initial Access

To infiltrate corporate networks, BianLian operators often perform the following activities:

  • Use stolen Remote Desktop Protocol (RDP) credentials
  • Exploit the ProxyShell vulnerability
  • Target virtual private network (VPN) providers
  • Use other previously reported techniques such as deploying web shells

During the last year, BianLian’s methods of infiltration and lateral movement did not change much. Nevertheless, we were able to retrieve interesting forensic data from our telemetry that provides additional behavioral indicators of compromise (IoCs).

After successfully infiltrating an organization’s network, our telemetry indicates the BianLian group uses various public tools to move laterally, dump credentials and remotely execute a backdoor payload.

Credential Dumping

In our telemetry, we have witnessed dumping of the Security Accounts Manager (SAM) registry hive into a file at %windir%Temp. This is a common technique used by attackers.

The SAM stores hashed passwords from accounts used on the attacked machine, and it can be recovered when processing SYSTEM privileges. The corresponding Cortex XDR alert is shown in Figure 5.

Image 5 is a screenshot of an alert in Cortex XDR. The categories are Severity, which is high, the alert source, action, category, alert name and description.
Figure 5. SAM dumping alert in Cortex XDR.

Persistence

During the analysis of our telemetry, we saw the attackers drop the BianLian backdoor DLL component under the following path:

  • c:programdatavmware[filename].dll.

To execute the backdoor, they used the impacket tool to create the following scheduled task:

The creation of the task was detected by Cortex XDR, and the corresponding alert is shown in Figure 6 below.

Image 6 is a screenshot of an alert in Cortex XDR. The categories are Severity, which is high, the alert source, action, category, alert name and description.
Figure 6. The impacket task creation alert in Cortex XDR.

This task’s role is to periodically execute the backdoor DLL with its export function named Entry, using rundll32. The execution of the backdoor DLL was detected and prevented by Cortex XDR. The alert and prevention pop-up are shown in Figures 7 and 8, respectively.

Image 7 is a screenshot of an alert in Cortex XDR. The categories are Severity, which is medium, the alert source, action, category, alert name and description.
Figure 7. The backdoor execution detection by Cortex XDR in detect mode.
Image 8 is a screenshot of the Cortex XDR Prevention Alert window. Cortex XDR has blocked a malicious activity! Application name: Windows host process. Application publisher: Microsoft Corporation. File origin: Hard drive on this computer.
Figure 8. The backdoor execution prevention by Cortex XDR in prevent mode.

The backdoors themselves have different names and paths in each incident, thus making it difficult to implement naming-based behavioral detection.

Reconnaissance

To get a better picture of an already infected network’s open ports that attackers can later use for lateral movement, the tool Advanced Port Scanner by Famatech was used from the following path:

  • C:Users%username%AppDataLocalTemp31Advanced_Port_Scanner_2.5.3869.exe

This is the same Advanced Port Scanner file that Makop ransomware was previously documented using. The alerts raised by its execution are shown in Figure 9.

Image 9 is a screenshot of an alert in Cortex XDR. The categories are Severity, which is Informational (two instances) and medium (one instance), the alert source, action, category, and alert name.
Figure 9. Alerts raised by the execution of Advanced Port Scanner.

Encryptor and Backdoor

Since the beginning of their activity, BianLian used two main components for their final payloads: an encryptor and a backdoor. Figure 10 below shows the encryptor’s ransom note.

Image 10 is a screenshot of a BianLian ransomware note. Title: Look at this instruction.txt. Your network systems were attacked and encrypted. Contact us in order to restore your date. Don’t make any changes in your file structure: touch no files, don’t try to recover by yourself, that may lead to its complete loss. To contact us you have to download “tox” messenger. Add user with the following ID to get your instructions [redacted]. Alternative way [redacted email]. Your ID: [redacted]. You should know that we have been downloading data rom your network for a significant time before the attack: financial, client, business, post, technical and personal files. In 10 days it will be posted at our site. [redacted] with links. Send to your clients, partners, competitors and news agencies, that will lead to a negative impact on your company: potential financial, business and reputational loses.
Figure 10. Example of a ransom note generated by a BianLian encryptor first seen in April 2023.

In early 2023, Avast released a decryptor for BianLian’s encryptor, which ultimately caused the group to cease most of its encryption activity. The threat actors then shifted their operation into a steal-and-extort scheme, mainly relying on their custom backdoor.

BianLian’s backdoor, similar to the encryptor, is written in Go. Its core functionality is more of a loader than a classic backdoor, with its main functionality being downloading and executing additional payloads. The backdoor contains a hard-coded C2 IP address and port to communicate with.

As shown in Figures 11 and 12, Cortex XDR successfully detected the execution of the encryptor, using its anti-ransomware module and other behavioral and static detection signatures.

Image 11 is a screenshot of an alert in Cortex XDR.
Figure 11. BianLian encryptor detection by Cortex XDR in detect mode.
Image 12 is a screenshot of alerts in Cortex XDR. They were initiated by bianlian_encryptor.exe.
Figure 12. Alerts raised by Cortex XDR detecting the BianLian encryptor in detect mode.

As shown in Figure 13, when operating in prevent mode, the BianLian encryptor is prevented by Cortex XDR.

Image 13 is a screenshot of the Cortex XDR Prevention Alert window. Cortex XDR has blocked a malicious activity! Application name: bianlian_encrypotr.exe. Application publisher: Unknown
Figure 13. The BianLian encryptor is prevented by Cortex XDR in prevent mode.

Figures 14 and 15 below demonstrate how Cortex XDR also detected the BianLian custom backdoor in detect mode and prevented it in prevent mode.

Image 14 is a screenshot of an alert in Cortex XDR.
Figure 14. Cortex XDR detecting the BianLian backdoor in detect mode.
Image 15 is a screenshot of the Cortex XDR Prevention Alert window. Cortex XDR has blocked a malicious activity! Application name: bianlian_encrypotr.exe. Application publisher: Unknown.
Figure 15. The BianLian backdoor is prevented by Cortex XDR in prevent mode.

Conclusion

Following its discovery in 2022, the BianLian group has been one of the most active and prevalent extortion groups in the cyberthreat landscape. Out of the leak site data tracked by Unit 42 between January and mid-December of 2023, BianLian was in the top 10 of the most active groups. There is a growing list of alleged victims that they update on their leak site.

Maintaining their tactics, techniques and procedures (TTPs) of infiltrating corporate networks, the BianLian group has shown adaptiveness to the ransomware market demands. They have shifted from double-extortion into being focused solely on extortion efforts, pressuring their victims into paying the ransom without encrypting their files. A possible connection to the Makop ransomware group was also found, due to their mutual use of a custom tool.

Protections and Mitigations

SmartScore, a unique ML-driven scoring engine that translates security investigation methods and their associated data into a hybrid scoring system, scored an incident involving BianLian backdoor at 91 out of 100, as shown in Figure 16. This type of scoring helps analysts determine which incidents are more urgent and provides context about the reason for the assessment, assisting with prioritization.

Image 16 is a screenshot of SmartScore information scored at 91. It includes why the score was set and also insights.
Figure 16. SmartScore information about a BianLian backdoor incident.

Palo Alto Networks customers are better protected from the BianLian encryptor and backdoor components.

The Cortex XDR and XSIAM platforms detect and prevent the execution flow described in the screenshots included in the previous section.

The Cortex XDR agent included out of the box protections that prevented adverse behavior from the samples we tested from this group, without the need for specific detection logic or signatures.

Cortex XDR and XSIAM detect user- and credential-based threats by analyzing user activity from multiple data sources including the following:

  • Endpoints
  • Network firewalls
  • Active Directory
  • Identity and access management solutions
  • Cloud workloads

Cortex XDR and XSIAM build behavioral profiles of user activity over time with machine learning. By comparing new activity to past activity, peer activity and the expected behavior of the entity, Cortex XDR and XSIAM detect anomalous activity indicative of credential-based attacks.

They also offer the following protections related to the attacks discussed in this post:

  • Prevent the execution of known malicious malware
  • Prevent execution of unknown malware using Behavioral Threat Protection and machine learning based on the Local Analysis module
  • Protect against credential-gathering tools and techniques using the Credential Gathering Protection, available from Cortex XDR 3.4
  • Protect against exploitation of different vulnerabilities including ProxyShell using the Anti-Exploitation modules as well as Behavioral Threat Protection

Cortex XDR Pro detects post-exploitation activity, including credential-based attacks, with behavioral analytics.

The Prisma Cloud Defender as well as Cortex XDR for cloud agents should be deployed on cloud-based Windows virtual machines to ensure they are protected from these known malicious binaries. WildFire signatures can be used by both Palo Alto Networks cloud services to ensure cloud-based Windows virtual machine runtime operations are being analyzed and those resources are protected.

Cloud-Delivered Security Services for the Next-Generation Firewall such as WildFire and Advanced URL Filtering include protections based on the IoCs shared in this article.

Cortex Xpanse is also able to detect exposed RDP and many other remote access interfaces which are often brute forced or exploited with compromised credentials. This visibility can prove valuable through proactive prevention.

Image 17 is a screenshot of Cortex Xpanse Attack Surface rules. It includes the following categories: Status. Severity, Rule Name, Description, Remediation Guidance and more.
Figure 17. A subset of the exposed remote access interface types that Cortex Xpanse can detect.

If you think you might have been impacted or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

  • North America Toll-Free: 866.486.4842 (866.4.UNIT42)
  • EMEA: +31.20.299.3130
  • APAC: +65.6983.8730
  • Japan: +81.50.1790.0200

Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

Indicators of Compromise

Examples of the BianLian Encryptor

  • af46356eb70f0fbb0799f8a8d5c0f7513d2f6ade4f16d4869f2690029b511d4f
  • 1fd42d07b4be99e0e503c0ed5af2274312be1b03e01b54a6d89c0eef04257d6e
  • 3a2f6e614ff030804aa18cb03fcc3bc357f6226786efb4a734cbe2a3a1984b6f
  • 46d340eaf6b78207e24b6011422f1a5b4a566e493d72365c6a1cace11c36b28b
  • 1fd07b8d1728e416f897bef4f1471126f9b18ef108eb952f4b75050da22e8e43
  • eaf5e26c5e73f3db82cd07ea45e4d244ccb3ec3397ab5263a1a74add7bbcb6e2

Examples of the BianLian Backdoor

  • c775e6d87a3bcc5e94cd055fee859bdb6350af033114fe8588d2d4d4f6d2a3ae
  • c57ca631b069745027d0b4f4d717821ca9bd095e28de2eafe4723eeaf4b062cf
  • c592194cea0acf3d3e181d2ba3108f0f86d74bcd8e49457981423f5f902d054b
  • df51b7b031ecc7c7fa899e17cce98b005576a20a199be670569d5e408d21048c
  • 2ed448721f4e92c7970972f029290ee6269689c840a922982ac2f39c9a6a838f
  • 264af7e7aa17422eb4299df640c1aa199b4778509697b6b296efa5ae7e957b40
  • 73d095abf2f31358c8b1fb0d5a0dc9807e88d44282c896b5033c1b270d44111f
  • 8b65c9437445e9bcb8164d8557ecb9e3585c8bebf37099a3ec1437884efbdd24
  • 4ca84be5b6ab91694a0f81350cefe8379efcad692872a383671ce4209295edc7
  • 93fb7f0c2cf10fb5885e03c737ee8508816c1102e9e3d358160b78e91fa1ebdb
  • afb7f11da27439a2e223e6b651f96eb16a7e35b34918e501886d25439015bf78
  • 53095e2ad802072e97dbb8a7ccea03a36d1536fce921c80a7a2f160c83366999
  • 16cbfd155fb44c6fd0f9375376f62a90ac09f8b7689c1afb5b9b4d3e76e28bdf
  • 60b1394f3afee27701e2008f46d766ef466caa7711c45ddfd443a71efc39a407
  • ba3c4bc99b67038b42b75a206d7ef04f6d8abaf87a76c373d4dec85e73859ce2
  • e7e097723d00f58eab785baf30365c1495e99aa6ead6fe1b86109558838d294e
  • 96e02ea8b1c508f1ee3c1535547f9b89396f557011e61478644ae5876cdaaca5
  • ac1d42360c45e0e908d07e784ceb15faf8987e4ba1744d56313de6524d2687f7
  • 1cba58f73221b5bb7930bfeab0106ae5415e70f49a595727022dcf6fda1126e9
  • 487f0d748a13570a46b20b6687eb7b7fc70a1a55e676fb5ff2599096a1ca888c
  • f84edc07b23423f2c2cad47c0600133cab3cf2bd6072ad45649d6faf3b70ec30
  • 93953eef3fe8405d563560dc332135bfe5874ddeb373d714862f72ee62bef518
  • f3f3c692f728b9c8fd2e1c090b60223ac6c6e88bf186c98ed9842408b78b9f3c
  • f6669de3baa1bca649afa55a14e30279026e59a033522877b70b74bfc000e276
  • 228ef7e0a080de70652e3e0d1eab44f92f6280494c6ba98455111053701d3759
  • 0e4246409cdad59e57c159c7cc4d75319edf7d197bc010174c76fe1257c3a68e
  • 90f50d723bf38a267f5196e22ba22584a1c84d719b501237f43d10117d972843
  • 4c008ac5c07d1573a98eb87bffe64e9c9e946de63b40df3f686881cf0698eef7
  • d3574cc69a5974a32a041d1dc460861fe1cef3c1f063171c5fc890ca0e8403c4
  • 99fc3e13f3b4d8debf1f2328f56f3810480ee2eed9271ebf413c0015c0a54c23
  • 4f4a2adc7ecc41f12defe864c78ad6bbf708355affac4115dcd5065b38198109
  • 188e95d6ed0810c216ab0043ecc2f54f514e624ca31ed1eec58cfc18cc9ac75e
  • 16b0f643670d1f94663179815bfac493f5f30a61d15c18c8b305b1016eece7ef
  • c5fa6a7a3b48a2a4bbcbbbb1ca50c730f3545e3fbb03fa17fb814ad7a400a21f
  • d3fc56b98af9748f7b6dd44e389d343781ff47db9ed3d92ae8fadc837f25f6ed
  • 23295c518f194dee7815728de15bafe07bf53b52d987c7ad2b2050f833f770f7
  • 06f10c935fae531e070c55bde15ee3b48b6bb289af237e96eec82124c19d1049
  • 7ba40902dc495d8da28d0c0788bcfb1449818342df89f005af8ce09f2ee01798
  • 3106e313f6df73b84acd8d848b467ac42c469ffabbad19e4fdcc963639cfff8c
  • 56e63edb832fdf08d19ecfe2de1c7c6c6581cedd431215ded0c8e44ac9aed925
  • 195c11ee41f5a80d8e1b1881245545d6529671b926eb67bd3186e3ffecefe362
  • ac14946fd31ca586368c774f3a3eed1620bf0f0b4f54544f5d25e87facf18d82
  • 29a14cb63a1900fe185fad1c1b2f2efb85a058ac3c185948b758f3ce4107e11e
  • 91ffe0ee445b82bd3360156feeecf8112d27c9333f9796caffcfda986fd7e9b4
  • 5162fd73cbe8f313d2b0e4180bab4cbe47185f73a3ffc3d1dcccc36bc2865142
  • 7dabe5d40c13c7c342b7182eaf7c63fbb5e326300316f6f6518b527d57e79ac8
  • 4e92b73a17e0646876fb9be09c4ee6f015f00273932d2422b69339e22b78b385
  • 9413ba4a33ea77326b837ba538f92348e1909d5263ca67a86aa327daa8fbba30
  • bd41ac2686beadc1cb008433960317b648caae37c93d8c0d61ad40fe27b5b67e
  • bd57af28c94c3b7f156511c48f4b62cd1b4c29a1a693f4dc831e0a928691cc56

Advanced Port Scanner

  • d0c1662ce239e4d288048c0e3324ec52962f6ddda77da0cb7af9c1d9c2f1e2eb

.NET Tool

  • 40126ae71b857dd22db39611c25d3d5dd0e60316b72830e930fba9baf23973ce

BianLian Command and Control Servers

  • 208.123.119[.]123
  • 13.215.228[.]73
  • 54.193.91[.]232
  • 172.96.137[.]159
  • 204.152.203[.]90
  • 144.208.127[.]119
  • 192.161.48[.]43
  • 146.70.87[.]197
  • 45.86.230[.]64
  • 45.56.165[.]17
  • 23.163.0[.]168
  • 172.96.137[.]249
  • 173.254.204[.]78
  • 185.56.137[.]117
  • 52.87.206[.]242
  • 45.66.249[.]118
  • 96.44.157[.]203
  • 103.20.235[.]122
  • 44.212.9[.]14
  • 149.154.158[.]154
  • 146.59.102[.]74
  • 96.44.135[.]76
  • 85.239.52[.]96
  • 66.85.156[.]83
  • 198.252.98[.]186
  • 3.236.161[.]7
  • 13.59.168[.]154
  • 172.245.128[.]35
  • 216.146.25[.]60
  • 172.86.122[.]183
  • 185.99.133[.]112
  • 149.154.158[.]214
  • 104.200.72[.]6
  • 23.163.0[.]228

Additional Resources

Source: Original Post


“An interesting youtube video that may be related to the article above”