Announced by the US Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and others. joint alarmadvises on the steps organizations should take to mitigate the threat posed by the BianLian ransomware attack.
Targeting various industry sectors since June 2022, BianLian is a ransomware developer, deployer and data extortion group primarily targeting enterprises.
In recent months, the group’s attack model has left victims’ systems unscathed from what is encrypted after being exfiltrated to exploit financial, business, customer and personal data. It has become a data-stealer.
After a typical attack, the BianLian Group threatens financial, business and legal repercussions for the victim company if the ransom is not paid.
Here are some of the ransom messages left by the attackers:
Please know that prior to the attack, we downloaded data from your network including financial, customer, business, postal, technical and personal files.
Posted on our site within 10 days [REDACTED] Sending links to clients, partners, competitors and news agencies may have negative consequences for the company, including possible financial, business and reputational losses.
In its recommendation, CISA said that BianLian’s attackers first exploited compromised Remote Desktop Protocol (RDP) credentials to gain access to the victim’s network, but that those credentials were stolen from other malicious hackers. It advises that it is likely obtained or harvested through a phishing attack.
Once the malicious hacker gains access, they plant specially written backdoor code for each victim and install remote administration and access software to maintain access to the system.
A 19-page joint alert urges organizations to lock down RDP, disable command line and scripting activity and privileges, limit the use of PowerShell, and ensure that only the latest version of PowerShell is installed. , is asking to make sure extended logging is enabled.
Additional advice includes adding time-based locks to prevent hijacking of admin user accounts outside of normal working hours, never storing plaintext credentials in scripts, and maintaining offline and secure backups of data. implementation of a recovery plan to
For more advice on steps an organization can take and indications of compromise, full recommendationworth a read.
In this recommendation, the FBI and CISA again issued extortion demands to companies affected by ransomware, as there is no guarantee that exfiltrated files will not be made public or sold to other criminals. I advise you not to give in to
โFurthermore, the payments may encourage adversaries to target additional organizations or encourage other criminals to distribute ransomware or fund illegal activities.โ
Editor’s note: The opinions expressed in this guest author article are those of the contributor only and do not necessarily reflect those of Tripwire.
