BianLian ransomware, an open-source ransomware first observed in July 2022, has shifted to a new operational tactic in the past few months. It is moving away from the encryption game to pressuring victims through legal and regulatory risks they may face as a result of the leak of their data.
More about encryption-less extortion
Cybersecurity company Redacted has revealed that while BianLian operators are using almost the same tactics for initial access and lateral movement, it has now adopted encryption-less extortion.
- Instead of encrypting the data, the group just steals the data and posts the masked data on its leak site.
- It threatens the victim organization by referring to legal issues, penalties, and loss of reputation the organization may face, once its data is leaked.
- In several cases, the law-related references used were actually and strictly applicable to the victim, suggesting that the group is doing thorough research to maximize its chance to get paid handsomely.
One possible reason behind this shift could be the release of a decryption tool by Avast in January, which allowed victims to break BianLian’s encryption without paying the ransom.
Supporting statistics
- Between July 2022 and January 2023, BianLian operators posted masked details of just 14 victims, accounting for 16% of victims.
- However, between January and March, the group has already posted 22 masked details, accounting for 53% of its postings.
- On average, it posts the masked data on the extortion sites within 48 hours of the breach and gives the victims around 10 days to make the payment.
Victimology
- The majority of its victims are from the U.S. (71%), followed by the U.K (11%), Australia (7%), India (6%), and Canada (5%).
- Other targets belong to Sweden, France, Austria, Turkey, Spain, Germany, Switzerland, Indonesia, and Cyprus.
- Speaking by industry vertical, the majority of victims are from the healthcare sector (14%), followed by education (11%), engineering (11%), and IT (9%).
Concluding notes
In the past, several threat groups such as RansomHouse and Karakurt have been observed running their ransom business on pure data extortion threats. However, BianLian is taking this tactic to the next level by posting masked data on leak sites and taking the time to research regional laws and regulations. Although the impact of such attack tactics depends on the severity of the data involved, organizations are recommended to stay extra cautious with their sensitive data.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/996c_shutterstock_1754062274.jpeg)
/https://cyware-ent.s3.amazonaws.com/image_bank/iStock_18804009_MEDIUM.jpg)
