A new report today from Palo Alto Networks Inc.’s Unit 42 details changes in how the prolific BianLian ransomware group operates as the group evolves to target primarily the healthcare and manufacturing sectors and the U.S. and Europe.

BianLian first emerged around 2021 and came to widespread attention in 2022 when it targeted companies in the U.S., the U.K. and Australia with traditional ransomware attacks, including encrypting files and demanding that a ransom be paid. BianLian, which previously used “double-extortion” attacks that involved encrypting and stealing data, now only steals data and threatens to publish it if its victims do not pay the ransom.

Through 2023, the Unit 42 researchers observed BianLian gaining notoriety for its shift in strategy to just stealing data. By eliminating the encryption stage, BianLian reduces the complexity of its attacks while maintaining leverage over victims through the threat of data exposure.

For its attacks, BianLian uses a custom .NET tool for data extraction that is also used by the Makop ransomware group. The researchers suggested a possible collaboration or shared resources between the groups. The tool retrieves sensitive information from compromised systems, including files, registry data and clipboard contents and includes Russian language elements in its codebase, hinting at the group’s origins.

BianLian’s employs various methods for initial access, such as exploiting vulnerabilities like ProxyShell, using stolen Remote desktop protocol credentials and targeting virtual private network providers. Upon gaining access, the group then uses sophisticated techniques for lateral movement and maintaining persistence, making their activities challenging to detect and mitigate.

The standout in the report is BianLian’s pivot to focus on the healthcare and manufacturing sectors. In January 2023, the group claimed to have infiltrated 1.7 terabytes of data, including personal data of patients and employees, from a California-based hospital. Attacks on healthcare organizations are noted in the report as being “especially concerning because they disrupt hospitals’ day-to-day operations and potentially endanger patients’ lives.”

Organizations are advised to enhance their cybersecurity posture to protect against the threat of ransomware groups such as BianLian. Unit 42 naturally recommends Palo Alto Networks platforms such as the company’s Cortex XDR and XSIAM, but the key is to undertake steps to protect against the risk. Regular security audits, employee training on cyber hygiene and the implementation of robust data backup and recovery plans can also help.

Photo: Choo Yut Shing/Flickr