#StopRansomware: BianLian Data Extortion Group

Date: 11/21/2024

Severity: Critical

Summary

Since June 2022, BianLian group actors have targeted multiple U.S. and Australian critical infrastructure sectors, along with professional services and property development. They gain access via valid RDP credentials, use open-source tools for discovery and credential harvesting, and exfiltrate data through FTP, Rclone, or Mega. The group extorts victims by threatening to release stolen data unless paid. Initially using a double-extortion model, they transitioned to exfiltration-based extortion by January 2023 and fully adopted this approach by January 2024.

Indicators of Compromise (IOC) List

Hash :

7b15f570a23a5c5ce8ff942da60834a9d0549ea3ea9f34f900a09331325df893

1fd07b8d1728e416f897bef4f1471126f9b18ef108eb952f4b75050da22e8e43 

0c1eb11de3a533689267ba075e49d93d55308525c04d6aff0d2c54d1f52f5500

40126ae71b857dd22db39611c25d3d5dd0e60316b72830e930fba9baf23973ce

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Detection Query 1:

sha256hash IN ( "7b15f570a23a5c5ce8ff942da60834a9d0549ea3ea9f34f900a09331325df893","1fd07b8d1728e416f897bef4f1471126f9b18ef108eb952f4b75050da22e8e43","0c1eb11de3a533689267ba075e49d93d55308525c04d6aff0d2c54d1f52f5500","40126ae71b857dd22db39611c25d3d5dd0e60316b72830e930fba9baf23973ce")

Reference:

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a

#StopRansomware: BianLian Data Extortion Group

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Comments

#StopRansomware: BianLian Data Extortion Group

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Share This

Comments