Update: #StopRansomware: BianLian Data Extortion Group

    This Joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors.
These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.  
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) are releasing this joint Cybersecurity Advisory to disseminate known BianLian ransomware and data extortion group indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) identified through FBI and ASD’S ACSC investigations.  
This advisory, originally published in May, has been updated with additional TTPs obtained as of June through FBI and ASD’S ACSC investigations and industry threat intelligence.  
The reporting agencies are aware of multiple ransomware groups, like BianLian, that seek to misattribute location and nationality by choosing foreign-language names, almost certainly to complicate attribution efforts. BianLian is a ransomware developer, deployer, and data extortion cybercriminal group, likely based in Russia, with multiple Russia-based affiliates.  
BianLian group actors have affected organizations in multiple US critical infrastructure sectors since June 2022. They have also targeted Australian critical infrastructure sectors in addition to professional services and property development.
The group gains access to victim systems through valid Remote Desktop Protocol (RDP) credentials, uses open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrates victim data via File Transfer Protocol (FTP), Rclone, or Mega. BianLian then extorts money by threatening to release data if payment is not made. BianLian group originally employed a double-extortion model in which they encrypted victims’ systems after exfiltrating the data; however, they shifted primarily to exfiltration-based extortion around January 2023 and shifted to exclusively exfiltration-based extortion around January 2024.   FBI, CISA, and ASD’S ACSC encourage critical infrastructure organizations and small- and medium-sized organizations to implement the recommendations in the mitigations section of this advisory to reduce the likelihood and impact of BianLian and other ransomware and data extortion incidents.