'Strictly limit' remote desktop – unless you like catching BianLian ransomware
Do it or don't. We're not cops. But the FBI are, and they have this to say
The FBI and friends have warned organizations to "strictly limit the use of RDP and other remote desktop services" to avoid BianLian infections and the ransomware gang's extortion attempts that follow the data encryption.
In a 19-page joint alert [PDF] issued Tuesday, the FBI, along with the US government's Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber Security Centre (ACSC), warned admins about the extortion crew's indicators of compromise along with its tactics, techniques and procedures observed as recently as March.
BianLian typically gains access to victims' Windows systems via Remote Desktop Protocol (RDP) credentials — hence the advice to shore up RDP security — and then uses software tools and command-line scripting to find and steal more credentials and snoop through the network and its files. Presumably the miscreants guess or obtain those remote-desktop credentials initially, so adding extra security there and after, if not limiting or blocking access outright, is useful.
Once the intruders are in and find sensitive data they can use to extort their victims, they exfiltrate the info using FTP, Rclone, and Mega, it's said by law enforcement.
To lessen the threat of becoming BianLian's next victim, the government agencies urge organizations to, as well as lock down RDP, disable or limit command-line and scripting activities and permissions, restrict the execution of application software, and also to restrict use of PowerShell. Updating Windows PowerShell or PowerShell Core to the latest version is a good idea, too.
There's other advice you should check out, such as increasing PowerShell logging; adding time-based locks to accounts, so that someone can't hijack an admin user out of hours; and monitoring domain controllers and active directories for suspicious new accounts and activities.
"FBI, CISA, and ACSC encourage critical infrastructure organizations and small- and medium-sized organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of BianLian and other ransomware incidents," the cyber cops advised.
BianLian emerged on the cybercrime scene in June 2022 and quickly made a name for itself by targeting healthcare and other critical infrastructure sectors.
Encryption is so 2022
While the criminals started off as a ransomware crew that used double extortion — steal the data, encrypt systems, and threaten to leak the files and not provide a decryption key unless the victim pays a ransom — earlier this year, they shifted to full-on extortion, ditching the encryption part, according to government and private-sector threat hunters. And BianLian isn't the only criminal gang to make the shift to going after critical systems.
There's some speculation that cybersecurity firm Avast's release in January of a free decryptor for BianLian convinced the gang that extortion without the headache of file encryption is the future of cybercrime for them.
The operators behind BianLian are among a growing number of ransomware groups using newer programming languages — in this case Go, but others also are turning to Rust — to make the malware a little more difficult to analyze and to get around some endpoint protection tools. This is because some researchers and software aren't used to picking apart Rust and Go-built binaries, though that will improve.
In addition to writing better malware, BianLian is also jumping on another trend among cybercriminals: making the extortion attacks increasingly vicious and personal. This requires the gangsters to spend more time researching their victims and tailoring their messages to — and harassment of — organizations and their employees to turn up the heat on companies to pay.
"In several instances, BianLian made reference to legal and regulatory issues a victim would face were it to become public that the organization had suffered a breach," Redacted security researchers said in a March report on the criminal gang.
To pay or not to pay?
If the victims don't pay the demand, the BianLian crew threatens to publish the stolen information on its Tor-hidden leak website. This makes victims more likely to settle as they can avoid lengthy legal cases over the exposure of corporate and personal data.
This shift, away from encryption and toward extortion via data leak, "is due to the successful collaboration between law enforcement and the cyber community to not only decrypt the ransomware but to disrupt the infrastructure that sustains it," Tom Kellermann, SVP of cyber strategy at Contrast Security, told The Register.
But, Kellermann added, it also gives the crooks another potential way to make money from their victims: shoxing. "Cybercrime cartels will short the stock of the victim company prior to the data leak to earn a return, in a crime called shoxing," he explained.
- BianLian ransomware crew goes 100% extortion after free decryptor lands
- Been hit by BianLian ransomware? Here's your get-out-of-jail-free card
- When are we gonna stop calling it ransomware? It's just data kidnapping now
- Toyota's bungling of customer privacy is becoming a pattern
The FBI and CISA advise companies not to pay ransoms to BianLian or any criminal group as this doesn't guarantee that victims' files will not be released or quietly sold.
"Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities," the government agencies said in the BianLian alert.
However, whatever an organization decides to do, pay or not pay the ransom, the governments urge companies to "promptly report" any cyber incidents to the FBI or CISA in the US, or the ACSC in Australia, or whatever's your nearest cybercrime body. ®