- BianLian’s CISA update advisory, originally published in May 2024
- The agency admitted that the group had distanced itself from deploying the encryptor
- Instead, BianLian exfiltrated sensitive data and threatened to release it
The famous BianLian ransomware The group has stopped deploying an encryptor on victim devices, and is now focusing solely on data exfiltration, an updated security advisory from the US Cybersecurity and Infrastructure Security Agency (CISA), and partner agencies warned.
CISA, along with the FBI and Australian Cyber Security Center, first published an in-depth report on BianLian in May 2024 as part of the #StopRansomware effort, detailing the group’s techniques, tactics, and methods , but it is now updated with new information, including changes in the group’s modus operandi.
As it turns out, BianLian no longer encrypts information on its victims’ endpoints. Instead, it simply stole the data, and then demanded payment in exchange for not leaking it to the public.
BianLian follows trends
This is a change that the cybersecurity community has been warning about for some time, and BianLian is not the only group that has stopped deploying the encryptor.
As it turns out, developing, maintaining, and deploying encryption software is tedious, laborious, and expensive. In terms of extorting money, simple data exfiltration yields the same results, and crooks take notice.
The agencies also said that BianLian is a Russian actor, based in the country, and has ties to Russia. If the name throws you off, and makes you think the group is probably Chinese (or somewhere in the far East, for that matter) – that’s intentional.
“Reporting agencies are aware of several ransomware groups, such as BianLian, that seek to disguise location and nationality by choosing foreign language names, almost certainly to complicate identification efforts ,” the report said.
Sign up to the TechRadar Pro newsletter to get all the top news, opinions, features and guidance your business needs to succeed!
In the past, the group has been observed targeting critical infrastructure sector organizations in the US, and private businesses in Australia.