Date: 07/18/2024
Severity: High
Summary
The BianLian ransomware group has swiftly advanced, demonstrating advanced tactics and adjusting to the changing cyber threat environment. It ranks among the top three active ransomware groups in terms of victim disclosures, following LockBit3 and AlphV. Our blog offers an insightful examination of BianLian's victim profiles, infrastructure, and tools, providing a thorough understanding of their operations.
Indicators of Compromise (IOC) List
URL/Domain | ec2-13-215-228-73.ap-southeast-1.compute.amazonaws.com |
IP Address | 104.238.61.20 45.56.165.131 146.59.102.74 45.56.165.131 |
Hash |
3b309c076c26f27f42dbab8c89f05df51c414e87529251dc2d9946e7bc694f29
72d91293ff1a91587af3997081f65eac819d2ff73655837dc68a447d371ca2f1
f9421165e4a62c7a1941b7b3fa73ac6f2149e7ffab3a6a622406baabf1933a2e
834ab96263cca7b01b3ae6549a9811b56204e714402215ce37fb602732b981d1
B12be86af46b0267d86fcacef0a58bad0d157a7a044f89a453082b32503bd3c0 |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
URL/Domain | userdomainname IN ("ec2-13-215-228-73.ap-southeast-1.compute.amazonaws.com") or url IN ("ec2-13-215-228-73.ap-southeast-1.compute.amazonaws.com") |
IP Address | dstipaddress IN ("104.238.61.20","146.59.102.74","45.56.165.131") or ipaddress IN ("104.238.61.20","146.59.102.74","45.56.165.131") or publicipaddress IN ("104.238.61.20","146.59.102.74","45.56.165.131") or srcipaddress IN ("104.238.61.20","146.59.102.74","45.56.165.131") |
Hash |
sha256hash IN ("B12be86af46b0267d86fcacef0a58bad0d157a7a044f89a453082b32503bd3c0","3b309c076c26f27f42dbab8c89f05df51c414e87529251dc2d9946e7bc694f29","f9421165e4a62c7a1941b7b3fa73ac6f2149e7ffab3a6a622406baabf1933a2e","834ab96263cca7b01b3ae6549a9811b56204e714402215ce37fb602732b981d1","72d91293ff1a91587af3997081f65eac819d2ff73655837dc68a447d371ca2f1") |
Reference:
https://blogs.juniper.net/en-us/security/bianlian-ransomware-group-2024-activity-analysis