The operators behind BianLian, a relatively new ransomware family that was first discovered in July of this year, have been seen vastly increasing their command-and-control infrastructure this month. This development likely alludes to a desired increase in the group’s operations and infection rates.
The operators behind the BianLian ransomware generally achieve initial access into a victim network through the exploitation of a vulnerability. The most commonly seen exploits include the Microsoft Exchange ProxyShell vulnerability or specific targeting of SonicWall VPN devices. Once initial access has been achieved, the group often utilizes standard living-off-the-land techniques to move laterally and escalate privileges on a system. In order to minimize the number of observable events, the group has been seen utilizing arp, instead of ping, to discover further systems to compromise. Once the group is ready to deploy their encryptor, they have been seen being more aggressive, forcibly disabling security tools to make sure the encryption is successful. The BianLian encryptor, which is written in Go and contains common ransomware techniques such as excluding certain file extensions from being encrypted, is then deployed across the network using methods such as WinRM or PowerShell scripts.
Unlike the average among ransomware threat actors, the BianLian group has been seen taking up to a six-week dwell time between initial access and the final encryption. This is well above the average time of 15 days, likely denoting the group’s attempt at staying under the radar until they are ready to deploy the final ransomware payload.