BianLian

Threat Actor updated 22 days ago (2024-11-29T13:58:41.655Z)
Download STIX
Preview STIX
BianLian is a threat actor that has been active in cybercrime, leveraging various techniques for malicious intent. Prior to January 2024, the group used an encryptor (encryptor.exe) that modified all encrypted files to have the .bianlian extension and created a ransom note in each affected directory. The group expanded its initial access techniques over time, known to use tools like PsExec and RDP with valid accounts for lateral movement. In some cases, BianLian actors created multiple domain admin accounts for lateral movement to the domain controller and established multiple Azure AD accounts to maintain access to victim systems. They also utilized the reverse proxy tool Ngrok or a modified version of the open-source Rsocks utility for command and control. The BianLian group notably exploited bugs in JetBrains TeamCity software to launch ransomware attacks. These attacks involved searching for sensitive files using PowerShell scripts and exfiltrating them for data extortion. More recently, the group's ransomware notes simply state that they have exfiltrated data and threaten to leak this data if the ransom is not paid, indicating a shift in their tactics. The group also warns victims of potential financial, business, and legal ramifications if payment is not made. In response to the escalating threats posed by BianLian, the FBI, CISA, and ASD’s ACSC issued specific recommendations for organizations to help defend against these tactics. These include implementing more general controls such as multi-factor authentication and privileged access management. As of November 2024, it was noted that BianLian initially employed a double-extortion model where it exfiltrated financial, client, business, technical, and personal files for leverage while simultaneously encrypting victims' systems.
Description last updated: 2024-11-25T13:41:59.814Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Extortion
Backdoor
Malware
Ransom
Lateral Move...
Exploit
Encryption
Windows
Encrypt
Healthcare
Teamcity
PowerShell
Android
Azure
Australian
T1566
Exploits
Antivirus
Implant
CISA
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Lockbit Malware is associated with BianLian. LockBit is a prominent ransomware-as-a-service (RaaS) malware that has been involved in numerous cyberattacks, demonstrating its staying power and adaptability. The malware, which can infiltrate systems through suspicious downloads, emails, or websites, is designed to exploit and damage computers orUnspecified
4
The Blackbasta Malware is associated with BianLian. BlackBasta is a notorious malware group that has emerged as a significant player in the ransomware space. The group has demonstrated an ability to adapt and evolve their tactics, making them a leading entity in the Russian-language ransomware domain. Initially, BlackBasta was observed using a botnetUnspecified
3
The Black Basta Malware is associated with BianLian. Black Basta is a notorious malware group known for its sophisticated ransomware attacks, which have targeted numerous high-profile entities. The group has demonstrated a remarkable ability to adapt their tactics, techniques, and procedures (TTPs), allowing them to effectively evade security defensesis related to
2
The Clop Malware is associated with BianLian. Clop, a malicious software (malware), is linked to a Russian-speaking cybercriminal group also known as Cl0p. It is designed to exploit and damage computer systems by stealing personal information, disrupting operations, or holding data hostage for ransom. In May 2023, the Clop group began exploitinUnspecified
2
The Cerberus Malware is associated with BianLian. Cerberus is a potent Android banking trojan that first surfaced on underground marketplaces in 2019. This malicious software, which operates as a hidden application on the victim's device, infiltrates systems via suspicious downloads, emails, or websites without the user's awareness. Once inside, itUnspecified
2
The Teabot Malware is associated with BianLian. TeaBot, also known as Anatsa, is a sophisticated malware that has been impacting Android devices. It first emerged as a significant threat in 2022 when it was identified as one of the most active banking malware families alongside Flubot, Sharkbot, and Hydra. TeaBot, along with other notable bankingUnspecified
2
The Karakurt Malware is associated with BianLian. Karakurt is a malicious software (malware) that has been linked to significant data extortion activities. The malware is affiliated with the notorious Conti cybercrime syndicate and ITG23, which are known for their disruptive operations, including data theft and ransom demands. In 2023, there was a Unspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Alphv Threat Actor is associated with BianLian. Alphv, also known as BlackCat, is a threat actor group that has been linked to numerous cyberattacks, particularly targeting the healthcare sector. The group made headlines when it stole 5TB of data from Morrison Community Hospital, causing significant disruption and raising concerns about patient pUnspecified
3
The Vice Society Threat Actor is associated with BianLian. Vice Society, a threat actor or hacking team with malicious intent, has been active since 2022 and has made significant waves in the cybersecurity world. The group is known for deploying various forms of ransomware, including BlackCat, Quantum Locker, Zeppelin, and their own branded variant of ZeppeUnspecified
2
The Qilin Threat Actor is associated with BianLian. Qilin, a threat actor known for its malicious activities in the cyberspace, has been on the rise with an increase in victim count by 44% reaching 140 in Q3. This group is part of the Octo Tempest group which recently added RansomHub and Qilin ransomware to its arsenal, enhancing its capabilities to Unspecified
2
The Rhysida Threat Actor is associated with BianLian. Rhysida is a globally active threat actor known for its ransomware operations, which have impacted a wide range of sectors, particularly the government and public sector. Their use of CleanUpLoader makes their operations highly effective and difficult to detect, as it not only facilitates persistencUnspecified
2
The White Rabbit Threat Actor is associated with BianLian. White Rabbit is a notable threat actor in the cybersecurity landscape, known for its malicious activities and association with other prominent hacking groups. The group's name, derived from the character in Alice's Adventures in Quantum Wonderland, signifies its unique approach to cyber attacks. In Unspecified
2
Source Document References
Information about the BianLian Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
InfoSecurity-magazine
a month ago
BankInfoSecurity
2 months ago
CISA
a month ago
InfoSecurity-magazine
a month ago
DARKReading
a month ago
Checkpoint
2 months ago
BankInfoSecurity
2 months ago
InfoSecurity-magazine
4 months ago
Securityaffairs
4 months ago
Securityaffairs
5 months ago
CERT-EU
a year ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
DARKReading
5 months ago
Unit42
5 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Checkpoint
6 months ago
Securityaffairs
6 months ago
Securityaffairs
6 months ago