Threat Research

BianLian Ransomware Gang Continues to Evolve

Securonix

BianLian continues to operate and expand its victim list while shifting its monetization from encrypting files to data-leak extortion, with tailored threats aimed at pressuring targets. The group maintains a Go-based backdoor for remote access and operates a rapidly evolving C2 infrastructure, increasingly leveraging leak-site disclosures to compel payments. #BianLian #AvastDecryptor

Keypoints

  • The group shifted from encrypting data to data-leak extortion, promising not to leak after payment in some cases.
  • BianLian continues to use the same tactics, techniques, and procedures for initial access and lateral movement, while maintaining a Go-based backdoor for remote access.
  • A tight coupling exists between backdoor deployment and C2 infrastructure, with about 30 new C2 servers online each month and two-week lifespans on average.
  • The Avast decryptor release prompted a strategic shift, with the group seeking payment in exchange for silence and reputational protection.
  • The threat actors increasingly post masked victim details on their leak site to pressure targets, often within a short window after compromise (sometimes less than 48 hours).

MITRE Techniques

  • [T1059] Command and Scripting Interpreter – The group maintains a Go-based backdoor to provide remote access to compromised networks. Quote: ‘custom backdoor, written in Go, which provides another means of remote access to a compromised network.’
  • [T1021] Remote Services – They perform initial access and lateral movement within a victim’s network. Quote: ‘to perform their initial access and lateral movement within a victim’s network.’
  • [T1071] Web Protocols (C2) – Their backdoor is tightly coupled with a growing number of C2 servers, enabling command and control. Quote: ‘bring close to 30 new C2 servers online each month.’
  • [T1566] Phishing or Extortion-related Tactics – The shift to data-leak extortion and tailored threats to compel payment aligns with extortion-focused techniques. Quote: ‘data-leak extortion as a means to extract payments from victims…’
  • [T1041] Exfiltration Over C2 – Masked victim details are posted to their leak site as a data-exfiltration/pressure tactic. Quote: ‘posting of masked victim details to their leak site.’
  • [T1486] Data Encrypted for Impact (historical context) – Historically tied to encrypting files for impact; current reporting notes a decrease in encryption in favor of extortion. Quote: ‘Rather than follow the typical double-extortion model of encrypting files and threatening to leak data…’

Indicators of Compromise

  • [File Hashes] Backdoors – 076e59781d0759de35022291c3d63bbf4227bd79561d80f52c9073a6278c5077, 0772fb1102685def711ffe647080e1a9b6597fe60e8f1afe7b457ac97c6ac25e and 2 more hashes
  • [File Hashes] Encryptors – 117a057829cd9abb5fba20d3ab479fc92ed64c647fdc1b7cd4e0f44609d770ea, 3a2f6e614ff030804aa18cb03fcc3bc357f6226786efb4a734cbe2a3a1984b6f
  • [Active IPs] Active IPs – 104.223.0[.]85, 104.234.118[.]129, and 2 more
  • [IP] Historical C2s – 102.129.214[.]35, 103.199.17[.]27

Read more: https://redacted.com/blog/bianlian-ransomware-gang-continues-to-evolve/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint