Threat Watch

Researchers Detail Emerging Cross-Platform BianLian Ransomware Attacks

The operators behind BianLian, a relatively new ransomware family that was first discovered in July of this year, have been seen vastly increasing their command-and-control infrastructure this month. This development likely alludes to a desired increase in the group’s operations and infection rates.

The operators behind the BianLian ransomware generally achieve initial access into a victim network through the exploitation of a vulnerability. The most commonly seen exploits include the Microsoft Exchange ProxyShell vulnerability or specific targeting of SonicWall VPN devices. Once initial access has been achieved, the group often utilizes standard living-off-the-land techniques to move laterally and escalate privileges on a system. In order to minimize the number of observable events, the group has been seen utilizing arp, instead of ping, to discover further systems to compromise. Once the group is ready to deploy their encryptor, they have been seen being more aggressive, forcibly disabling security tools to make sure the encryption is successful. The BianLian encryptor, which is written in Go and contains common ransomware techniques such as excluding certain file extensions from being encrypted, is then deployed across the network using methods such as WinRM or PowerShell scripts.

Unlike the average among ransomware threat actors, the BianLian group has been seen taking up to a six-week dwell time between initial access and the final encryption. This is well above the average time of 15 days, likely denoting the group’s attempt at staying under the radar until they are ready to deploy the final ransomware payload.


Since the general initial access of this ransomware group is via externally facing vulnerability exploitation, it is highly recommended to make sure all externally accessible devices are up-to-date on patches and have a consistent patching cycle implemented for them. This also includes making sure that all externally accessible devices are hardened to only allow expected services from being accessible from the Internet. Bruteforcing RDP credentials is another popular method of obtaining initial access for threat actors, so making sure no externally accessible systems have RDP open to the Internet can go a long way in further helping tighten the perimeter of the organization. Implementing and maintaining endpoint security controls on all devices is also highly recommended to help prevent ransomware from infecting a network. The threat group behind BianLian utilizes a number of well-known living-off-the-land techniques that many EDRs are likely to flag as suspicious and potentially block. For the non-standard techniques that may bypass an EDR, detections can be made manually to alert analysts to suspicious behavior. Behavior such as svchost.exe executing from an unusual path, WinRM processes creating abnormal files, and reg.exe modifying safeboot keys would all be considered suspicious and can be detected and alerted upon. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with these types of detection needs.