On May 16, 2023, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Cyber Security Centre (ACSC) released a joint Cybersecurity Advisory (CSA) disseminating known BianLian ransomware and data extortion group techniques. This joint CSA is a continuation of CISA’s ongoing #StopRansomware effort to arm defenders with the intelligence they need to combat different ransomware variants and ransomware threat actors. This advisory was updated on November 20, 2024, with additional tactics, techniques, and procedures (TTPs).

BianLian is a sophisticated ransomware group that has affected multiple organizations in U.S. critical infrastructure sectors since June 2022. BianLian originally employed double extortion tactics, where the attackers not only encrypted data but also exfiltrated it, threatening to release sensitive information if the ransom was not paid. Around January 2023, they shifted to primarily data theft extortion.

The ransomware employs strong encryption methods such as RSA combined with AES-256 in CBC mode, making file recovery challenging without decryption keys.

AttackIQ has released an updated attack graph to include these new behaviors exhibited by BianLian to help customers validate their security controls and their ability to defend against this determined adversary.

Validating your security program performance against these behaviors is vital to reducing risk. By using this new attack graph in the AttackIQ Security Optimization Platform, security teams will be able to:

  • Evaluate security control performance against baseline behaviors associated with BiaLian ransomware.
  • Assess their security posture against an adversary that continues to evolve.
  • Continuously validate detection and prevention pipelines against a playbook similar to those of many of the groups currently focused on ransomware activities.

[CISA AA23-136A] #StopRansomware: BianLian Ransomware Group

This attack graph emulates the various Tactics, Techniques and Procedures (TTPs) exhibited by BianLian ransomware during recent activities.

This emulation is based on the Cybersecurity Advisory (CSA) released by CISA and supported by one additional report published by PaloAlto. This advisory was updated on November 20, 2024, with additional Tactics, Techniques, and Procedures (TTPs). To reflect changes made to the previous version of the attack graph, newly added scenarios are marked with “Updated!” in front of them for easy identification.

This attack graph emulates the full kill chain of a BianLian adversary, focusing on data exfiltration and the encryption of sensitive files. The attack begins with a custom backdoor, tailored to each victim, to establish foothold and persistence. This is followed by an extensive discovery routine to gather critical information about users, systems, networks, and domain accounts. Lateral movement and data exfiltration are facilitated by exploiting credentials and accessing network resources. The attack concludes with a bespoke encryptor, designed to encrypt targeted files on compromised systems.

Initial Access & Execution – Malware Delivery

This stage consists of the initial access and delivery of BianLian’s custom backdoor and its associated Dynamically Link Library (DLL) to the system. The execution of this DLL is emulated via the native Rundll32 Windows utility.

Ingress Tool Transfer (T1105): These scenarios download to memory and save to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious content.

System Binary Proxy Execution: Rundll32 (T1218.011): This scenario executes an exported function from a specific DLL using the rundll32.exe Windows utility.

Persistence & Defense Evasion – Enable Remote Desktop

In this stage, persistence is established by creating a Scheduled Task using a task name that attempts to blend in with other legitimate tasks. Then, a local account is created and added to the local group “Remote Desktop Users”, which is a built-in group in Windows that grants its members the permissions needed to establish remote desktop sessions. Additionally, defense evasion techniques take place to bypass the system firewall and enable the Remote Desktop and the Remote Assistance feature.

Updated! Masquerading: Rename System Utilities (T1036.003): This scenario copies powershell.exe, renames it to notepad.exe to bypass detection, and then executes the whoami command.

Scheduled Task/Job: Scheduled Task (T1053.005): This scenario attempts to create a new scheduled task for persistence using the schtasks utility.

Create Account: Local Account (T1136.001): This scenario attempts to create a new user into the system with the net user Windows command.

Account Manipulation (T1098): This scenario adds a local user to the local Administrators group using the net localgroup command.

Impair Defenses: Disable or Modify System Firewall (T1562.004): Remote Desktop may not be enabled by default through the local system firewall. Threat actors can create new firewall rules to open ports for local and remote access using the netsh advfirewall utility. This scenario opens local port 3389 for inbound access.

Modify Registry (T1112): This scenario modifies the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\UserAuthentication to disable the Network Layer Authentication (NLA) for Remote Desktop connections. This technique allows the threat actor to establish an RDP session to the remote system and reach the login screen prior to supplying any credentials.

Modify Registry (T1112): This scenario modifies the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Remote Assistance\fAllowToGetHelp to enable Remote Assistance, allowing external users to request control of the system.

Discovery – Account and Domain Discovery

This stage focuses on account discovery, gathering a wide range of information. It begins by identifying users logged onto the system using query user and whoami commands. The net user command is then executed to list available accounts on the system. Additionally, the net group command is used to list domain administrator accounts and uncover additional hosts. Finally, nltest is leveraged to gather a full list of domain trust relationships as well as to enumerate domain controllers.

System Owner/User Discovery (T1033): This scenario executes a batch script with the query user and whoami commands to retrieve information about users logged on the system.

Updated! Account Discovery: Local Account (T1087.001): This scenario executes the native net user Windows command to enumerate available accounts on the system.

Account Discovery: Domain Account (T1087.002): This scenario executes net group command to list domain administrator accounts.

Remote System Discovery (T1018): This scenario executes the net group "Domain Computers" /domain command to gather additional hosts available to the infected asset.

Domain Trust Discovery (T1482): This scenario executes the command nltest /trusted_domains to obtain domain trust relationships, which allow a domain to access resources based on another domain’s authentication procedures.

Domain Trust Discovery (T1482): This scenario executes the command nltest /dclist to enumerate domain controllers in a specified domain.

Discovery – Network and File Discovery

This stage focuses on identifying additional remote systems and files of interest. The local network is scanned for remotely accessible systems and Server Message Block (SMB) shares. A BianLian support file is then downloaded and saved to the system to enumerate the files present in the compromised environment.

Remote System Discovery (T1018): This scenario performs a scan of the local network searching for any remotely accessible systems with ports 139, 389, 445, 636, or 3389 open.

Network Share Discovery (T1135): This scenario executes the Get-SmbShare cmdlet to retrieve Server Message Block (SMB) shares on a compromised host.

File and Directory Discovery (T1083): This scenario executes the native dir command to discover files and directories and output to a temporary file.

Credential Access & Lateral Movement – Accessing Additional Targets

This stage focuses on broadening access within the environment by dumping credentials and moving laterally. The process begins with searching for plaintext passwords on specific folders, followed by dumping the SAM hive and targeting the LSASS process for credentials. Exfiltrated data is then used to extract or crack credentials that could be used to access additional hosts. Lateral movement is then performed via Remote Desktop Protocol (RDP), and files of interest are exfiltrated through File Transfer Protocol (FTP).

Unsecured Credentials: Credentials In Files (T1552.001): This scenario uses the findstr command inside ‘Documents’ and ‘Desktop’ folders to find plain text passwords.

Updated! OS Credential Dumping: Security Account Manager (T1003.002): This scenario attempts to save a copy of the HKLM\SAM registry hive to a temporary file by executing the native Windows reg save command.

OS Credential Dumping: LSASS Memory (T1003.001): This scenario dumps the Windows Local Security Authority Server Service (LSASS) process memory to a Minidump file using the native Windows comsvcs.dll library. This process is used for enforcing security policy on the system and contains many privileged tokens and accounts that are targeted by threat actors.

Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol (T1048.003): This scenario compresses a LSASS minidump file and exfiltrates it in un-encrypted HTTP traffic to an AttackIQ controlled server.

Remote Services: Remote Desktop Protocol (T1021.001): This scenario attempts to move laterally within a network using the Remote Desktop Protocol (RDP) protocol.

Automated Collection (T1119): This scenario simulates the behavior of collecting files with specific extensions or from specified folders.

Exfiltration Over Alternative Protocol (T1048): This scenario will start an FTP connection against an AttackIQ server to emulate the exfiltration of sensitive information from the compromised system.

Command and Control & Persistence – BianLian Ransomware Deployment

This stage involves downloading and saving the BianLian encryptor to the system. Initial sandbox detection is performed using the IsDebuggerPresent Windows native API. The stage concludes with achieving persistence through Registry Run keys.

Updated! Virtualization/Sandbox Evasion (T1497): This scenario will call the IsDebuggerPresent Windows API to detect the presence of a debugger attached to the current process.

Updated! Boot or Logon Autostart Execution: Registry Run Keys (T1547.001): This scenario acquires persistence by setting the HKLM\Software\Microsoft\Windows\CurrentVersion\Run registry key that Windows uses to identify what applications should be run at system startup.

Discovery & Impact – BianLian Ransomware File Encryption

This stage focuses on the collection of system information in preparation for file encryption. To do so, information regarding the system’s architecture, location, available storage devices and file system structure will be gathered. Finally, files matching specific extensions are encrypted using a combination of RSA and AES-256 in CBC mode.

Updated! System Location Discovery (T1614): This scenario executes the GetUserDefaultLCID Windows API call to retrieve the user default locale ID from the local system.

Updated! System Location Discovery (T1614): This scenario executes the GetLocaleInfoA Windows API to retrieve the user default country locale code from the local computer.

Updated! System Information Discovery (T1082): This scenario calls GetSystemInfo Native API function to retrieve system hardware information. This can be used to detect sandboxes, create unique identifiers, and adjust execution behaviors.

Updated! Peripheral Device Discovery (T1120): This scenario retrieves information about the system’s physical disks using the GetDriveTypeW API call.

Updated! File and Directory Discovery (T1083): This scenario will call the FindFirstFileW and FindNextFileW Windows API to enumerate the file system.

Updated! Data Encrypted for Impact (T1486): This scenario performs the file encryption routines used by common ransomware families. Files matching an extension list are identified and encrypted in place using similar encryption algorithms as used by BianLian ransomware.

Opportunities to Expand Emulation Capabilities

In addition to the released assessment template, AttackIQ recommends the following existing scenarios to extend the emulation of the capabilities exhibited in this advisory.

Clipboard Data Script: This scenario executes a Powershell script with the Get-Clipboard cmdlet to copy the data stored in the clipboard.

Lateral Movement Through PAExec: This scenario executes PAExec, an open-source version of PSExec to simulate lateral movement through the network.

Dump Active Directory Database using ntdsutil.exe: This scenario attempts to access or create a copy of the Active Directory domain database to steal credential information and obtain details about domain members, such as devices, users, and access rights by leveraging the ntdsutil.exe Windows built-in tool.

Create Azure User: This scenario creates a new user in the target Azure Active Directory (AD) using the Microsoft Graph API.

Detection and Mitigation Opportunities

With so many different techniques being used by threat actors, it can be difficult to know which to prioritize for prevention and detection assessment. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.

1. Review CISA’s Patching and Detection Recommendations:

CISA has provided a significant number of recommendations for the best ways to defend yourself from these and similar attacks. AttackIQ strongly recommends reviewing the detection and mitigation recommendations with the goal of adapting them to your environment first to determine if you have any existing impact before reviewing the assessment results.

2. Data Encrypted for Impact (T1486)

Preventing systems and files from being encrypted should be a top priority. Ensuring that you have layered endpoint defenses including Antivirus and EDR solutions is critical.

2a. Detection

Ransomware attacks are best prevented and alerted by your EDR/AV Policies. Typically, a configuration for ransomware protection is presented and we strongly encourage that it is enabled in your security controls.

There are three telling signs of ransomware activity in an environment that you could query for and possibly make preventative detections if your security controls allow. Those three are deletion of shadow volumes, suspicious amounts of exfiltrated data, and of course, wide set file encryption.

Detecting deletion of shadow volumes is usually the first step that occurs and can be detected by looking at command line activity:

Via vssadmin.exe:

Process Name == (cmd.exe OR powershell.exe)
Command Line CONTAINS (“vssadmin” AND “Delete Shadows”)

Via PowerShell:

Process Name == powershell.exe
Command Line == “Get-WmiObject Win32_Shadowcopy | ForEach-Object ($_.Delete();)”

Detecting suspicious Data Exfiltration:

Detecting exfiltration is well suited for IDS/IPS and DLP solutions. These products should be configured to identify sensitive files. If sensitive files, or a large amount of web traffic is sent to a rare external IP, it should be detected or prevented depending on security policies for the security control. Historical NetFlow data logging can also bubble up hosts that are experience uncommon peaks in outgoing traffic.

Detecting Ransomware-like File Encryption:

Utilizing an EDR or SIEM/SOAR product can help detect and prevent suspicious file encryption related to ransomware attacks. Utilizing these tools to look for excessive file modifications (greater than 1000 on a system) within less than a minute of time is a good starting indicator.

To increase the fidelity, you could include file modification file extension to popular ransomware extensions such as .conti, .Locky, .Ryuk, etc. If possible, with a SOAR or preventative EDR platform, we recommend setting these detections to kill all processes involved in creating the alert, as it will most likely stop the spread of the Ransomware.

2b. Mitigation

MITRE ATT&CK Recommends the following mitigations:

3. Scheduled Task/Job: Scheduled Task (T1053.005)

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly from the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel.

3a. Detection

With an EDR or SIEM Platform, you can detect the following commands being issued to schedule a malicious task:

Process Name = (“cmd.exe” OR “Powershell.exe”)
Command Line CONTAINS (“schtasks” AND “/CREATE” AND (“cmd” OR “powershell”)

3b. Mitigation

MITRE ATT&CK has the following mitigation recommendations:

4. Command and Scripting Interpreter: PowerShell (T1059.001)

This actor heavily utilizes PowerShell scripts and built-in PowerShell cmdlets to complete their discovery objectives and interact with Active Directory.

4a. Detection

Enabling PowerShell script logging is critical to being able to track how PowerShell is being used in your environment. Many actors will obfuscate their code to make it more difficult to detect.

Resources for Enabling PowerShell Logging:

4b. Mitigation

MITRE ATT&CK has the following mitigation recommendations:

Wrap Up

In summary, this attack graph will evaluate security and incident response processes and support the improvement of your security control posture against the behaviors exhibited by BianLian Ransomware. With data generated from continuous testing and the use of this attack graph, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a known and dangerous threat.

AttackIQ offers a comprehensive Breach and Attack Simulation Platform to assist security teams. This includes AttackIQ Flex, a tailored pay-as-you-go service; AttackIQ Ready!, a fully managed service for continuous security optimization; and AttackIQ Enterprise, a co-managed service offering enhanced support. These services ensure your team maintains a robust security posture.