SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image

Ransomware-as-a-Service group BianLian opts for unique model

Sat, 23rd Nov 2024

The BianLian data extortion group operates with a structure that makes it more challenging for law enforcement to track down individual members compared to other Ransomware-as-a-Service (RaaS) groups.

Jason Baker, Principal Threat Intelligence Consultant for the GuidePoint Research and Intelligence Team (GRIT) at GuidePoint Security, highlights the nature of BianLian's operations, contrasting it with the RaaS model adopted by other prominent ransomware groups. "Among the most prolific ransomware groups today, most follow a RaaS structure, in which loosely aligned affiliates split a portion of paid ransoms with a core group responsible for maintaining supporting infrastructure and the underlying ransomware encryptor. This has reduced the barrier to entry for prospective cybercriminals as technical expertise is distributed amongst specialists rather than highly skilled generalists," Baker explained.

BianLian diverges from the RaaS model, likely operating as a tightly-knit group taking charge of all their operations internally rather than advertising for new affiliates. This operational model is thought to enhance the group's flexibility and resilience. According to Baker, "Bianlian breaks the norm in this regard, likely operating as an insular group responsible for the full spectrum of their operations rather than operating on a RaaS model or advertising for new affiliates. We assess that this has supported the group's flexibility and resilience because fewer loose affiliates present fewer opportunities for LE penetration and because the group does not face the same disruptive risks as RaaS groups."

Baker further noted that even when counteractions are taken, such as Avast's release of a decryptor for BianLian ransomware in early 2023, the group managed to pivot quickly to focus on exfiltration-only data extortion without significant disruption to their operations. He compared this adaptability to the eventual challenges faced by RaaS groups, stating, "RaaS groups, such as Akira, have performed similar pivots in the face of decryptor publication in the short term, but have ultimately had to devise new encryptor versions to maintain their viability and affiliates over the long term."

The effectiveness of BianLian's approach underscores the evolving tactics in ransomware operations, with an increased emphasis on data extortion. "BianLian's continued efficacy also highlights the effectiveness of data extortion concurrent with or even in lieu of data encryption. While data encryption remains a valuable weapon in double-extortion ransomware attacks, groups such as BianLian have adapted to the increased preparedness of Defenders and the increased availability of backups in the enterprise environment to focus on the more attainable goal of exfiltrating sensitive data and holding it hostage..." Baker remarked.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X