BianLian Targets Healthcare and Manufacturing in US, EU

The BianLian ransomware group, notorious for its evolving strategies, has now intensified its focus on the healthcare and manufacturing sectors in the United States and Europe. This move signals a significant threat to data security and operational stability in these critical industries.

According to a detailed report by Unit 42 researchers from Palo Alto Networks, BianLian, initially known for traditional ransomware attacks where files are encrypted and a ransom is demanded, have now begun foregoing the encryption stage and immediately stealing data. This is seemingly in an effort to better motivate their victims to pay the ransom via a more immediate threat of data exposure.

The group's proficiency in using a custom.NET tool for data extraction, which is also utilized by the Makop ransomware group, suggests a possible collaboration or shared resources between the two entities. This tool is specifically designed to retrieve sensitive information from compromised systems, including files, registry data, and clipboard contents. Notably, the presence of Russian language elements in the tool hints at the group's origins.

BianLian's operations are marked by sophistication and stealth, as it employs a variety of methods to gain initial access to target networks. These include exploiting known vulnerabilities like ProxyShell, using stolen Remote Desktop Protocol credentials, and targeting virtual private network providers. Once inside the network, BianLian uses various public tools for lateral movement and maintaining persistence.

The recent focus of BianLian on the healthcare and manufacturing sectors is particularly alarming. In a notable incident in January 2023, as reported by SiliconANGLE, the group claimed to have infiltrated a California-based hospital, exfiltrating 1.7 terabytes of data. The breach included sensitive personal information of patients and employees. The potential disruption to hospitals' day-to-day operations and the endangerment of patients' lives make these attacks on healthcare organizations especially concerning.

Back in September, BianLian reportedly targeted Save The Children International, a prominent nonprofit organization. In the breach, an alarming 6.8TB of data was stolen, including sensitive personal and financial data, along with health records. This ruthless attack on an organization dedicated to child welfare underscores the group's merciless nature.