Security

CSO

'Strictly limit' remote desktop – unless you like catching BianLian ransomware

Do it or don't. We're not cops. But the FBI are, and they have this to say


The FBI and friends have warned organizations to "strictly limit the use of RDP and other remote desktop services" to avoid BianLian infections and the ransomware gang's extortion attempts that follow the data encryption.

In a 19-page joint alert [PDF] issued Tuesday, the FBI, along with the US government's Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber Security Centre (ACSC), warned admins about the extortion crew's indicators of compromise along with its tactics, techniques and procedures observed as recently as March.

BianLian typically gains access to victims' Windows systems via Remote Desktop Protocol (RDP) credentials — hence the advice to shore up RDP security — and then uses software tools and command-line scripting to find and steal more credentials and snoop through the network and its files. Presumably the miscreants guess or obtain those remote-desktop credentials initially, so adding extra security there and after, if not limiting or blocking access outright, is useful.

Once the intruders are in and find sensitive data they can use to extort their victims, they exfiltrate the info using FTP, Rclone, and Mega, it's said by law enforcement.

To lessen the threat of becoming BianLian's next victim, the government agencies urge organizations to, as well as lock down RDP, disable or limit command-line and scripting activities and permissions, restrict the execution of application software, and also to restrict use of PowerShell. Updating Windows PowerShell or PowerShell Core to the latest version is a good idea, too.

There's other advice you should check out, such as increasing PowerShell logging; adding time-based locks to accounts, so that someone can't hijack an admin user out of hours; and monitoring domain controllers and active directories for suspicious new accounts and activities.

"FBI, CISA, and ACSC encourage critical infrastructure organizations and small- and medium-sized organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of BianLian and other ransomware incidents," the cyber cops advised.

BianLian emerged on the cybercrime scene in June 2022 and quickly made a name for itself by targeting healthcare and other critical infrastructure sectors. 

Encryption is so 2022

While the criminals started off as a ransomware crew that used double extortion — steal the data, encrypt systems, and threaten to leak the files and not provide a decryption key unless the victim pays a ransom — earlier this year, they shifted to full-on extortion, ditching the encryption part, according to government and private-sector threat hunters. And BianLian isn't the only criminal gang to make the shift to going after critical systems.

There's some speculation that cybersecurity firm Avast's release in January of a free decryptor for BianLian convinced the gang that extortion without the headache of file encryption is the future of cybercrime for them.

The operators behind BianLian are among a growing number of ransomware groups using newer programming languages — in this case Go, but others also are turning to Rust — to make the malware a little more difficult to analyze and to get around some endpoint protection tools. This is because some researchers and software aren't used to picking apart Rust and Go-built binaries, though that will improve.

In addition to writing better malware, BianLian is also jumping on another trend among cybercriminals: making the extortion attacks increasingly vicious and personal. This requires the gangsters to spend more time researching their victims and tailoring their messages to — and harassment of — organizations and their employees to turn up the heat on companies to pay.

"In several instances, BianLian made reference to legal and regulatory issues a victim would face were it to become public that the organization had suffered a breach," Redacted security researchers said in a March report on the criminal gang.

To pay or not to pay?

If the victims don't pay the demand, the BianLian crew threatens to publish the stolen information on its Tor-hidden leak website. This makes victims more likely to settle as they can avoid lengthy legal cases over the exposure of corporate and personal data.

This shift, away from encryption and toward extortion via data leak, "is due to the successful collaboration between law enforcement and the cyber community to not only decrypt the ransomware but to disrupt the infrastructure that sustains it," Tom Kellermann, SVP of cyber strategy at Contrast Security, told The Register

But, Kellermann added, it also gives the crooks another potential way to make money from their victims: shoxing. "Cybercrime cartels will short the stock of the victim company prior to the data leak to earn a return, in a crime called shoxing," he explained.

The FBI and CISA advise companies not to pay ransoms to BianLian or any criminal group as this doesn't guarantee that victims' files will not be released or quietly sold. 

"Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities," the government agencies said in the BianLian alert. 

However, whatever an organization decides to do, pay or not pay the ransom, the governments urge companies to "promptly report" any cyber incidents to the FBI or CISA in the US, or the ACSC in Australia, or whatever's your nearest cybercrime body. ®

Send us news
33 Comments

LockBit ransomware kingpin gets 4 years behind bars

Canadian-Russian said to have turned to a life of cybercrime during pandemic, now must pay the price – literally

International effort to disrupt cybercrime moves into operational phase

Will the WEF experiment work?

Street newspaper appears to have Big Issue with Qilin ransomware gang

The days of cybercriminals having something of a moral compass are over

Infosec teams must be allowed to fail, argues Gartner

But failing to recover from incidents is unforgivable because 'adrenalin does not scale'

Vans claims cyber crooks didn't run off with its customers' financial info

Just 35.5M names, addresses, emails, phone numbers … no biggie

UK council won't say whether two-week 'cyber incident' impacted resident data

Security experts insist ransomware is involved but Leicester zips its lips

'Thousands' of businesses at mercy of miscreants thanks to unpatched Ray AI flaw

Anyscale claims issue is 'long-standing design decision' – as users are raided by intruders

Yacht dealer to the stars attacked by Rhysida ransomware gang

MarineMax may be in choppy waters after 'stolen data' given million-dollar price tag

Swiss cheese security? Play ransomware gang milks government of 65,000 files

Classified docs, readable passwords, and thousands of personal information nabbed in Xplain breach

Beijing-backed cyberspies attacked 70+ orgs across 23 countries

Plus potential links to I-Soon, researchers say

Fujitsu: Miscreants infected our systems with malware, may have stolen customer info

Sneaky software slips past shields, spurring scramble

Miscreants are exploiting enterprise tech zero days more and more, Google warns

Crooks know where the big bucks are