Joint Cybersecurity Advisory – #StopRansomware: BianLian Ransomware Group

WaterISAC regularly provides awareness of recent CISA reporting. While direct relevance to your utility/organization on the details of each report may vary, activity alerts like this are practical for general awareness of active threats and adversary capabilities.

CISA, the FBI, and the Australian Cyber Security Centre (ACSC) recently published a joint Cybersecurity Advisory (CSA) to provide network defenders with technical information, recommended actions, and mitigations to protect against BianLian Ransomware.

The FBI has observed BianLian group targeting organizations in multiple U.S. critical infrastructure sectors since June 2022. In Australia, ACSC has observed BianLian group predominately targeting private enterprises, including one critical infrastructure organization. The group gains access to victim systems through valid Remote Desktop Protocol (RDP) credentials, uses open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrates victim data via File Transfer Protocol (FTP), Rclone, or Mega.

Actions to take today to mitigate cyber threats from BianLian ransomware and data extortion include: 

• Strictly limit the use of RDP and other remote desktop services.  
• Disable command-line and scripting activities and permissions. 
• Restrict usage of PowerShell and update Windows PowerShell or PowerShell Core to the latest version. 

The CSA also includes indicators of compromise to help network defenders detect if there is malicious activity on their networks. The reporting agencies encourage network defenders to review the CSA and apply the included mitigations. See StopRansomware.gov for additional guidance on ransomware protection, detection, and response. 

To report suspicious or criminal activity related to information found in advisory, contact your local FBI field office, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937, or by e-mail at Cy*****@*bi.gov. If you have any further questions, or to request incident response resources or technical assistance related to these threats, contact CISA at CI*************@******hs.gov. Access the full advisory at CISA.