BIANLIAN

RANSOMWARE

BIANLIAN is a sophisticated ransomware group that primarily targets large enterprises and critical infrastructure sectors such as healthcare and finance. The group's initial access method often involves exploiting vulnerabilities in network services, particularly through remote code execution (RCE) attacks on unpatched software or outdated systems. Once inside the network, BIANLIAN employs double extortion tactics by exfiltrating sensitive data before encrypting files to maximize leverage over their victims. This approach is distinctive due to its focus on extensive reconnaissance and lateral movement within a compromised environment, using techniques such as masquerading and virtualization evasion to avoid detection.

Technically, BIANLIAN demonstrates advanced capabilities through the exploitation of high-severity vulnerabilities, with a particular emphasis on critical CVEs that allow for remote code execution. The group's use of tools like Impacket and PsExec indicates a level of technical sophistication in lateral movement and maintaining persistence within networks. Defenders should prioritize patch management to address known vulnerabilities, especially those related to RCE attacks. Additionally, implementing robust network segmentation can hinder the group’s ability to move laterally once inside an organization, thereby reducing the impact of their extortion tactics.

CISA Intelligence #StopRansomware

#StopRansomware: BianLian Ransomware Group · 2024-11-20

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) are releasing this joint Cybersecurity Advisory to disseminate known BianLian ransomware and data extortion group IOCs and TTPs identified through FBI and ASD’S ACSC investigations.

(New, November 20, 2024) The reporting agencies are aware of multiple ransomware groups, like BianLian, that seek to misattribute location and nationality by choosing foreign-language names, almost certainly to complicate attribution efforts. BianLian is a ransomware developer, deployer, and data extortion cybercriminal group, likely based in Russia, with multiple Russia-based affiliates.

(Updated, November 20, 2024) BianLian group actors have affected organizations in multiple U.S. critical infrastructure sectors since June 2022. They have also targeted Australian critical infrastructure sectors in addition to professional services and property development. The group gains access to victim systems through valid Remote Desktop Protocol (RDP) credentials, uses open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrates victim data via File Transfer Protocol (FTP), Rclone, or Mega. BianLian then extorts money by threatening to release data if payment is not made. BianLian group originally employed a double-extortion model in which they encrypted victims’ systems after exfiltrating the data; however, they shifted primarily to exfiltration-based extortion around January 2023 and shifted to exclusively exfiltration-based extortion around January 2024.

Predicted CVEs (100) CORRELATION

How does prediction work?

Predicted CVEs are identified through automated correlation using multiple sources: vendor/product profiles historically targeted by the group (MITRE ATT&CK), attack chain patterns (KEV + TTPs), threat intelligence (MISP, STIX), and AI analysis. These CVEs have not been confirmed as exploited by this specific group, but have a high probability of being targets based on the actor's operational profile.

CVE-2020-0796 CRITICAL Microsoft Windows 10 Version 1903 for 32-bit Systems predicted 10.0 CVE-2020-0796 CRITICAL Microsoft Windows 10 Version 1903 for 32-bit Systems predicted 10.0 CVE-2020-1350 CRITICAL Microsoft Windows Server predicted 10.0 CVE-2026-20963 CRITICAL Microsoft SharePoint Enterprise Server 2016 predicted 9.8 CVE-2020-0646 CRITICAL Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 predicted 9.8 CVE-2021-38647 CRITICAL Microsoft Open Management Infrastructure predicted 9.8 CVE-2021-31166 CRITICAL Microsoft Windows 10 Version 2004 predicted 9.8 CVE-2024-49035 CRITICAL Microsoft Partner Center predicted 9.8 CVE-2025-24989 CRITICAL Microsoft Power Pages predicted 9.8 CVE-2023-29357 CRITICAL Microsoft SharePoint Server 2019 predicted 9.8 CVE-2023-23397 CRITICAL Microsoft Office LTSC 2021 predicted 9.8 CVE-2026-41089 CRITICAL Microsoft Windows Server 2012 predicted 9.8 CVE-2021-38647 CRITICAL Microsoft Open Management Infrastructure predicted 9.8 CVE-2025-53770 CRITICAL Microsoft SharePoint Enterprise Server 2016 predicted 9.8 CVE-2024-43468 CRITICAL Microsoft Configuration Manager predicted 9.8 CVE-2024-21413 CRITICAL Microsoft Office 2019 predicted 9.8 CVE-2024-21410 CRITICAL Microsoft Exchange Server 2016 Cumulative Update 23 predicted 9.8 CVE-2025-53770 CRITICAL Microsoft SharePoint Enterprise Server 2016 predicted 9.8 CVE-2023-29357 CRITICAL Microsoft SharePoint Server 2019 predicted 9.8 CVE-2025-59287 CRITICAL Microsoft Windows Server 2012 predicted 9.8 CVE-2021-34473 CRITICAL Microsoft Exchange Server 2013 Cumulative Update 23 high 9.1 CVE-2021-26855 CRITICAL Microsoft Exchange Server 2016 Cumulative Update 19 predicted 9.1 CVE-2021-34473 CRITICAL Microsoft Exchange Server 2013 Cumulative Update 23 predicted 9.1 CVE-2020-1040 CRITICAL Microsoft Windows Server predicted 9.0 CVE-2022-41080 HIGH Microsoft Exchange Server 2016 Cumulative Update 23 predicted 8.8 CVE-2023-32049 HIGH Microsoft Windows 10 Version 1809 predicted 8.8 CVE-2025-49704 HIGH Microsoft SharePoint Enterprise Server 2016 predicted 8.8 CVE-2023-21529 HIGH Microsoft Exchange Server 2019 Cumulative Update 12 predicted 8.8 CVE-2022-26923 HIGH Microsoft Windows 10 Version 1809 predicted 8.8 CVE-2022-41080 HIGH Microsoft Exchange Server 2016 Cumulative Update 23 predicted 8.8 CVE-2022-41128 HIGH Microsoft Windows 10 Version 1809 predicted 8.8 CVE-2024-30040 HIGH Microsoft Windows 10 Version 1809 predicted 8.8 CVE-2025-49704 HIGH Microsoft SharePoint Enterprise Server 2016 predicted 8.8 CVE-2025-33053 HIGH Microsoft Windows 10 Version 1507 predicted 8.8 CVE-2024-38189 HIGH Microsoft Office 2019 predicted 8.8 CVE-2024-29988 HIGH Microsoft Windows 10 Version 1809 predicted 8.8 CVE-2023-21529 HIGH Microsoft Exchange Server 2019 Cumulative Update 12 predicted 8.8 CVE-2024-43461 HIGH Microsoft Windows 11 Version 24H2 predicted 8.8 CVE-2025-33073 HIGH Microsoft Windows 10 Version 1507 predicted 8.8 CVE-2021-42321 HIGH Microsoft Exchange Server 2016 Cumulative Update 21 predicted 8.8 CVE-2020-0618 HIGH Microsoft SQL Server predicted 8.8 CVE-2026-21510 HIGH Microsoft Windows 10 Version 1607 predicted 8.8 CVE-2026-45659 HIGH Microsoft SharePoint Enterprise Server 2016 predicted 8.8 CVE-2020-1020 HIGH Microsoft Windows predicted 8.8 CVE-2021-27085 HIGH Microsoft Internet Explorer 11 predicted 8.8 CVE-2021-34527 HIGH Microsoft Windows 10 Version 1809 predicted 8.8 CVE-2021-42321 HIGH Microsoft Exchange Server 2016 Cumulative Update 21 predicted 8.8 CVE-2020-0688 HIGH Microsoft Exchange Server 2013 predicted 8.8 CVE-2023-35311 HIGH Microsoft 365 Apps for Enterprise predicted 8.8 CVE-2022-41040 HIGH Microsoft Exchange Server 2013 Cumulative Update 23 predicted 8.8 CVE-2026-21513 HIGH Microsoft Windows 10 Version 1607 predicted 8.8 CVE-2023-36025 HIGH Microsoft Windows 10 Version 1809 predicted 8.8 CVE-2020-17144 HIGH Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 31 predicted 8.4 CVE-2024-21412 HIGH Microsoft Windows 11 version 21H2 predicted 8.1 CVE-2024-43573 HIGH Microsoft Windows 10 Version 22H2 predicted 8.1 CVE-2020-0601 HIGH Microsoft Windows predicted 8.1 CVE-2024-21412 HIGH Microsoft Windows 11 version 21H2 predicted 8.1 CVE-2022-41082 HIGH Microsoft Exchange Server 2013 Cumulative Update 23 predicted 8.0 CVE-2022-41082 HIGH Microsoft Exchange Server 2013 Cumulative Update 23 predicted 8.0 CVE-2024-26169 HIGH Microsoft Windows 10 Version 1809 predicted 7.8 CVE-2023-28252 HIGH Microsoft Windows 10 Version 1809 predicted 7.8 CVE-2021-1675 HIGH Microsoft Windows 10 Version 1809 predicted 7.8 CVE-2020-0787 HIGH Microsoft Windows predicted 7.8 CVE-2022-30190 HIGH Microsoft Windows 10 Version 1809 predicted 7.8 CVE-2024-21351 HIGH Microsoft Windows 11 Version 23H2 predicted 7.6 CVE-2021-27059 HIGH Microsoft Office 2016 predicted 7.6 CVE-2023-38180 HIGH Microsoft ASP.NET Core 2.1 predicted 7.5 CVE-2021-42287 HIGH Microsoft Windows Server 2019 predicted 7.5 CVE-2021-33742 HIGH Microsoft Windows 10 Version 1809 predicted 7.5 CVE-2021-36942 HIGH Microsoft Windows Server 2019 predicted 7.5 CVE-2023-36884 HIGH Microsoft Windows 10 Version 1809 predicted 7.5 CVE-2024-38112 HIGH Microsoft Windows 10 Version 22H2 predicted 7.5 CVE-2024-29059 HIGH Microsoft .NET Framework 4.8 predicted 7.5 CVE-2025-30397 HIGH Microsoft Windows 10 Version 1507 predicted 7.5 CVE-2020-0968 HIGH Microsoft Internet Explorer 9 predicted 7.5 CVE-2021-36942 HIGH Microsoft Windows Server 2019 predicted 7.5 CVE-2023-36884 HIGH Microsoft Windows 10 Version 1809 predicted 7.5 CVE-2021-42278 HIGH Microsoft Windows Server 2019 predicted 7.5 CVE-2021-42287 HIGH Microsoft Windows Server 2019 predicted 7.5 CVE-2021-33766 HIGH Microsoft Exchange Server 2019 Cumulative Update 9 predicted 7.3 CVE-2023-24955 HIGH Microsoft SharePoint Enterprise Server 2016 predicted 7.2 CVE-2023-24955 HIGH Microsoft SharePoint Enterprise Server 2016 predicted 7.2 CVE-2021-31196 HIGH Microsoft Exchange Server 2019 Cumulative Update 9 predicted 7.2 CVE-2024-38094 HIGH Microsoft SharePoint Enterprise Server 2016 predicted 7.2 CVE-2024-38094 HIGH Microsoft SharePoint Enterprise Server 2016 predicted 7.2 CVE-2021-43890 HIGH Microsoft App Installer predicted 7.1 CVE-2021-43890 HIGH Microsoft App Installer predicted 7.1 CVE-2021-34448 MEDIUM Microsoft Windows 10 Version 1809 predicted 6.8 CVE-2021-31207 MEDIUM Microsoft Exchange Server 2013 Cumulative Update 23 high 6.6 CVE-2021-31207 MEDIUM Microsoft Exchange Server 2013 Cumulative Update 23 predicted 6.6 CVE-2024-38213 MEDIUM Microsoft Windows 10 Version 1809 predicted 6.5 CVE-2023-36761 MEDIUM Microsoft Office 2019 predicted 6.5 CVE-2025-49706 MEDIUM Microsoft SharePoint Enterprise Server 2016 predicted 6.5 CVE-2026-32201 MEDIUM Microsoft SharePoint Enterprise Server 2016 predicted 6.5 CVE-2025-49706 MEDIUM Microsoft SharePoint Enterprise Server 2016 predicted 6.5 CVE-2024-43451 MEDIUM Microsoft Windows Server 2025 predicted 6.5 CVE-2026-42897 MEDIUM Microsoft Exchange Server 2016 Cumulative Update 23 predicted 6.1 CVE-2022-26925 MEDIUM Microsoft Windows 10 Version 1809 predicted 5.9 CVE-2020-1472 MEDIUM Microsoft Windows Server version 2004 predicted 5.5 CVE-2020-1472 MEDIUM Microsoft Windows Server version 2004 high 5.5

ATT&CK Techniques (11)

T1059 Command and Scripting Interpreter Execution T1204 User Execution Execution T1027.002 Software Packing Defense Evasion T1036 Masquerading Defense Evasion T1497 Virtualization/Sandbox Evasion Defense Evasion T1082 System Information Discovery Discovery T1083 File and Directory Discovery Discovery T1120 Peripheral Device Discovery Discovery T1518.001 Security Software Discovery Discovery T1091 Replication Through Removable Media Lateral Movement T1486 Data Encrypted for Impact Impact