The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Australian Cyber Security Centre (ACSC) have jointly released a CSA to thwart the progress of BianLian ransomware group. It will internally share the ransomware group’s IOCs and TTPs that are identified through FBI and ACSC investigations as of March 2023. The effort is part of CISA’s “Shields Up” and the ongoing #StopRansomware campaigns that publishes CSAs related to chronic ransomware perpetrators, detailing the various ransomware variants and ransomware threat vectors.
The average cost of a ransomware attack is $4.54 million, according to IBM
Recommended: World Password Day: Password advice for CIOs
By studying the recent tactics and techniques used by the BianLian ransomware group, it was found that the group has changed its tactics for stealing data. It is no longer encrypting systems for ransom, rather it is now using backdoor channels to control systems remotely and steal data, dodging the safety net provided by an antivirus software.
What is BianLian Ransomware Group?
As per the CSA, BianLian is an advanced ransomware developer and deployer that poses as a data extortion criminal group. It specifically targets the US-based IT infrastructures. It has been found to be actively extortion data since June 2022 across the US and Australia, targeting the national-level critical infrastructure sectors in addition to professional services and property development.
Since January 2023, the ransomware group changed its tactics and pace of attack, focusing on exfiltration-based data extortion. They are a tricky force to monitor and stop. The group seems to be actively using technology to stay ahead of the organizations that are monitoring them, and dodging the safety protocols of these organizations by strategically targeting loopholes in the existing IT systems, especially when thee is so much remote device management and shadow IT access available as vulnerabilities.
Locking out the Threats: Cloudflare’s DDoS Threat Report Highlights Emergence of Hyper-volumetric Attacks and Botnets
Last year, President Biden had issued a statement where he had emphasized the role of the private sector in preventing the ransomware group-led attacks on the critical infrastructure. He had asked the private sector companies “to lock their digital doors” as the Federal Government can’t defend against the threats alone.
Everyone needs to do their part in securing the critical infrastructures from threat agents such as the BianLian ransomware group. We are doing our part today.
We spoke to the leading cybersecurity professionals from the industry about the possible ways to stop BianLian ransomware groups. The speakers who participated in the discussion were:
- Laurie Mercer, Director of Security Engineering at HackerOne
- Randeep Gill, Principal Cybersecurity Strategy, Exabeam
- Arti Raman, CEO and founder, Titaniam
- Justin McCarthy, CTO and co-founder, StrongDM
- Aaron Sandeen, CEO and co-founder, Securin
Here is what each speaker had to say about the ransomware menace.
Adopt the Outsider Mindset to Beat Ransomware Groups in their Own Game
Laurie Mercer, Director of Security Engineering at HackerOne
“Ransomware continues to be the most common ‘end game’ scenario, equating to almost three-quarters of all cyber attacks. In addition, unpatched vulnerabilities were the single most common access method. This is unsurprising when you consider that cybercriminals have CVE databases at their fingertips. Beyond known CVEs, organizations’ unknown assets have the potential to pose an even greater risk. One-third of organizations say they observe less than 75% of their attack surface. Where the unknown is so vast, it is no shock that ransomware is on the rise. A simple solution?
Using cybercriminals’ own strengths against them to protect and patch vulnerabilities by adopting the outsider mindset.
“In the case of both Vulnerability Disclosure Programs (VDPs) and Vulnerability Research Programs (VRPs), the outsider mindset is harnessed to complement organizations’ offensive security strategy. Ethical hackers are the best solution to match the ingenuity and inventiveness of cybercriminals, who have a multitude of resources and manpower to find vulnerabilities in your unknown assets.”
“Organizations should continuously evaluate and improve their security practices, keeping up with the latest threat intelligence, and investing in regular security assessments by skilled security professionals, testers and hackers. Where cybercriminals look for ways onto your system without your permission, businesses that allow ethical hackers to access their systems will ensure unknown entryways are blocked for good. Organizations need to understand that it is not a matter of ‘if’ but ‘when’ they will get attacked. The cost of ransomware is not limited to just the ransom alone but also downtime, reputational damage and profit loss. Therefore, prior investment in VDPs and VRPs will save organizations time, money and reputation in the long run.”
Track Every Device, Every IT System to Avoid Security Incidents
“There was a time when endpoint technology stood relatively strong in two key areas. On the one hand, the traditional anti-virus/malware agent served as a stand-alone protector against recognized threats by drawing attention to unusual activity and lowering noise. On the server side, endpoint technologies’ application control helped determine what should be running, how it should be running, and by whom.
Unfortunately, endpoint detection and response (EDR) solutions, which were initially designed to identify behavior and were utilized for forensic examination by analysts, also have a high susceptibility to exploitation themselves. If an adversary were to take advantage of an EDR tool, they would have access to variety of an organization’s telemetry, including user and identity authentication, access to files, system variables and key business applications. All of which increases the scope through which ransomware can be deployed.
I want to remind enterprises to go beyond just EDR solutions to improve security posture and mitigate the risk of a ransomware attack. Security teams need complete and holistic visibility across any environment — which includes, but is not limited to, endpoint logs. In order to paint a full picture, CISOs and their security teams must be able to monitor user and device behavior across the whole network to distinguish between normal and anomalous behavior.”
Make Data Protection A Priority
Arti Raman, CEO and founder, Titaniam
“We are starting to see ransomware groups make a switch from data encryption tactics to data extortion, and BianLian ransomware gang is only one example. With the FBI’s announcement, CISOs and cybersecurity professionals need to make data protection a priority and understand the changing security landscape. Ransomware groups like BianLian are no longer set on just stealing data. These groups have begun to target specific information, such as personal identifiable information (PII) and personal health information (PHI), and will leverage this information under threat of exposure. Organizations can no longer assume their defense will be enough to keep criminals outside of their networks. Instead, proactive data security solutions like encryption-in-use and tokenization can help to limit the blast radius of threat actor efforts by ensuring valuable data is unusable even in cases where it is stolen for purposes like extortion.”
Consider Deploying The Principle of Least Privilege (PoLP)
Justin McCarthy, CTO and co-founder, StrongDM
“We are constantly reminded of the importance of regularly examining identity and access management practices. After all, before ransomware can get disseminated, an adversary has to gain initial access into a network. With Verizon reporting that 61% of all security breaches involve the exploitation of credentials, and StrongDM reporting that 55% of organizations maintain backdoor access to infrastructure, it’s very likely a majority of ransomware incidents are spurred by poor access management practices.
With as distributed as our world has become, it’s imperative that executives and IT teams consider applying the principle of least privilege (PoLP) and take a zero-standing privilege approach. Doing so ensures that credentials only exist in the moments they’re needed, that every action is secure and auditable, and that credentials are essentially removed from the equation entirely. By limiting access as much as possible, organizations will reduce their attack surface and help mitigate the risk of ransomware.”
Prevention Is the Ultimate Goal for a Proactive Cybersecurity Strategy
Aaron Sandeen, CEO and co-founder, Securin
“This is just another reminder of the looming threat of ransomware and how enterprise leaders need to be aware of cyber threats to keep their business safe. Ransomware attacks have continued to terrorize enterprises since the 2017 WannaCry attacks by the Lazarus group. In 2022 alone, IBM reported an average ransom payment of $812,360, with the total cost of a ransomware attack on an enterprise being $4.5 million on average.
To combat this ever-present threat, organizations need to prioritize the detection and prevention of threats over recovery. Implementing strong security measures across the board, from patching software to employee training, all play a pivotal role in ensuring a strong security posture. Enterprises can eventually recover from a ransomware attack, however, prevention is the ultimate goal for a proactive cybersecurity strategy.”
Adopting a zero-trust strategy could solve many problems that IT organizations are facing in their operations. A great cybersecurity strategy depends on who you trust in the organization and what kinds of access you have provided to them. Overall, in an ever-growing enterprise technology spread across multiple departments and regions, it could be an overwhelming task for a CIO or CISO to track every device and tool. That’s why having an end-point security with zero-trust as the foundation of cybersecurity strategy should be your go-to mission right now.