{
	"id": "ca79da50-f236-47c5-9eb8-69b0079bcd42",
	"created_at": "2026-04-06T00:10:44.836663Z",
	"updated_at": "2026-04-10T13:12:50.971664Z",
	"deleted_at": null,
	"sha1_hash": "1dacb6de89b62960895f180e39fd62da5e048621",
	"title": "BianLian Ransomware Gang Gives It a Go!",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 561276,
	"plain_text": "BianLian Ransomware Gang Gives It a Go!\r\nBy Ben Armstrong, Lauren Pearce, Brad Pittack, Danny Quist\r\nPublished: 2022-09-01 · Archived: 2026-04-05 12:37:37 UTC\r\nEarlier this year, [redacted] encountered a relatively new ransomware threat actor that called themselves BianLian. We\r\nobserved the actor deploying custom malware that was written in the Go programming language, which posed some initial,\r\nbut not insurmountable, reverse-engineering challenges. \r\nBianLian used subtle techniques to exploit, enumerate, and move laterally in victim networks to remain undetected and\r\naggressively worked to counter Endpoint Detection \u0026 Response (EDR) protections during the encryption phase of their\r\noperations. The group has displayed signs of being new to the practical business aspects of ransomware and associated\r\nlogistics. Generally they seemed to be experiencing the growing pains of a group of talented hackers new to this aspect of\r\ncriminal extortion.\r\nInfrastructure associated with the BianLian group first appeared online in December 2021 and their toolset appears to have\r\nbeen under active development since then. Finally, we have observed the BianLian threat actor tripling their known\r\ncommand and control (C2) infrastructure in the month of August, suggesting a possible increase in the actor’s operational\r\ntempo.\r\nInitial Access\r\nThe BianLian group has successfully targeted the ProxyShell vulnerability chain (CVE-2021-34473, CVE-2021-34523,\r\nCVE-2021-31207) to gain initial access into victim networks. After exploitation, they deployed either a webshell or a\r\nlightweight remote access solution such as ngrok as the follow-on payload. BianLian has also targeted SonicWall VPN\r\ndevices for exploitation, another common target for ransomware groups. Finally, while we do not have direct evidence of a\r\nsuccessful attack, we have indications that the actor targets servers that provide remote network access via solutions such as\r\nRemote Desktop, attempting to exploit weak or exposed credentials. We have also observed dwell times of up to six weeks\r\nfrom the actor gaining initial access and the actual encryption event. \r\nTactics On Target\r\nWith a beachhead established within a network, BianLian have shown themselves to be adept with the Living off the Land\r\n(LOL) methodology to move laterally, adjusting their operations based on the capabilities and defenses they encountered in\r\nthe network. For example, they leveraged a combination of the Non-Sucking Service Manager nssm.exe and the reverse\r\nproxy ngrok.exe to create backdoors on the servers. Next, they leveraged RDP, WinRM, WMI, and PowerShell to achieve\r\nnetwork profiling and lateral movement. Finally, they deployed their custom backdoor to a subset of compromised hosts to\r\nprovide additional network access should their primary means be disrupted.\r\nAs BianLian would initially spread throughout a network, hunting for the most valuable data to steal and identify the most\r\ncritical machines to encrypt, they appeared to take steps to minimize observable events. As an example, we have observed\r\nthe threat actor choosing to avoid pinging a target and instead utilizing the arp command in network segments where the\r\ntargeted host would be reachable. In instances where ping was necessary, the actor was judicious in the use, often sending\r\njust a single ping. While it is possible that a network defense solution could be configured in such a way to identify an\r\nabnormal ping, it is unlikely most common EDR and network security solutions would identify an actor performing targeted\r\nnetwork reconnaissance via arp.\r\nOnce the BianLian actor identified a host they wished to access, they most often utilized standard LOL techniques such as\r\nnet.exe to add and/or modify user permissions, netsh.exe to configure host firewall policies, and reg.exe to adjust various\r\nregistry settings related to remote desktop and security policy enforcement.\r\nSample LOL commands observed:\r\n\"C:\\Windows\\system32\\net.exe\" localgroup \"Remote Desktop Users\" \u003csimilar name to existing admin\u003e /add\r\n\"C:\\Windows\\system32\\netsh.exe\" advfirewall firewall add rule \"name=allow RemoteDesktop\" dir=in\r\nprotocol=TCP localport=3389 action=allow\r\nhttps://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/\r\nPage 1 of 12\n\n\"C:\\Windows\\system32\\reg.exe\" add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\"\r\n/v fAllowToGetHelp /t REG_DWORD /d 1 /f\r\nEven in the final hours prior to encryption, we observed the actor taking care to avoid detection. In one instance, the actor\r\naccessed the victim network to seemingly perform last minute network reconnaissance and/or target verification, again\r\nsending single pings and arp requests to hosts. The actor then disconnected from the network for approximately an hour\r\nbefore returning to begin their ransom attack in earnest.\r\nOnce BianLian made the decision that it was time to encrypt a victims network, they set aside their desire to remain\r\nundetected and took a much more aggressive approach, attacking any network and/or host based defense that impeded their\r\ncustom encryptor tool.\r\nSample commands observed targeting defenses:\r\nTargeting Windows Defender\r\n\"C:\\Windows\\system32\\Dism.exe\" /online /Disable-Feature /FeatureName:Windows-Defender /Remove\r\n/NoRestart\r\nTargeting Windows Antimalware Scan Interface (AMSI)\r\n[Ref].Assembly.GetType(‘System.Management.Automation.AmsiUtils’).GetField(‘amsiInitFailed’,’NonPublic,Static’).SetValue(\r\nTargeting Sophos\r\n\"C:\\Windows\\system32\\reg.exe\" ADD \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Sophos Endpoint\r\nDefense\\TamperProtection\\Config\" /t REG_DWORD /v SAVEnabled /d 0 /f\r\n\"C:\\Windows\\system32\\reg.exe\" ADD\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Sophos\\SAVService\\TamperProtection /t REG_DWORD /v Enabled /d 0\r\n/f\r\nIn one instance, BianLian encountered a server that was configured and defended in such a manner the actor was unable to\r\nsuccessfully execute their encryptor. To overcome this, the actor installed TightVNC, modified a registry key to enable\r\nnetwork access for TightVNC while in safe mode, then booted the server into safe mode. Since most security applications do\r\nnot execute in safe mode, this enabled partial encryption of the server.  \r\n\"C:\\Windows\\system32\\reg.exe\" copy hklm\\system\\CurrentControlSet\\services\\tvnserver\r\nhklm\\system\\CurrentControlSet\\control\\safeboot\\network\\tvnserver /s /f\r\nIn situations where the actor was able to overcome a victim’s defenses, BianLian utilized many of the common techniques\r\nobserved in a modern ransomware attack such as deleting shadow copy files, deleting backups, as well as distributing and\r\nexecuting their custom encryptor via methods such as RDP, WMI, WinRM, and PowerShell scripts.\r\nExample Encryption Timeline\r\nIn the hour before attempting the encryption phase of an attack, BianLian leveraged LOL tools to prime the network and\r\ntargeted machines for attack in a less-alerting manner. They created administrator accounts on multiple servers using net.exe\r\nand dropped known-good binaries such as 7zip and winscp to enable last-minute data file exfiltration. When the actor started\r\nencryption operations, they moved aggressively and with speed. In 30 minutes, [redacted] witnessed dozens of attempts to\r\nencrypt a handful of servers, with each attempt blocked by EDR/AV. The actor then spent the next few hours both trying to\r\ncircumvent security controls and gain access to additional servers that were not initially targeted in an attempt to\r\nsuccessfully encrypt the victims files. \r\nTime (Duration) Event\r\nStart to End (4.5\r\nHours)\r\nTraffic flowed externally to several different internal user endpoints throughout the entire\r\nencryption phase. The majority of malicious traffic to victim servers for the duration of the\r\nincident flowed through these same endpoints.\r\nhttps://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/\r\nPage 2 of 12\n\nTime (Duration) Event\r\nStart+1 Hour (15\r\nMinutes)\r\nAccount manipulation via net.exe on multiple servers. Admin accounts enabled and existing admin\r\naccount passwords changed to hinder any defensive response. Significant account manipulation\r\ncontinued through the event, but was heaviest in these 15 minutes.\r\nStart+1.25 Hours\r\n(45 Minutes)\r\nLOL tools for file exfiltration and remote access dropped to multiple servers and executed.\r\nStart+2 Hours (30\r\nMinutes)\r\nDozens of attempts to encrypt a handful of different servers.\r\nStart+2.5 Hours\r\n(2 Hours)\r\nAttempts to circumvent security controls including EDR.\r\nStart+2.5 Hours\r\n(2 Hours)\r\nOver a dozen attempts to encrypt several additional servers that were not included in the initial\r\ntargeting.\r\nTools Used and Their Evolution\r\nThe BianLian group has developed a custom tool set consisting of a backdoor and an encryptor, developing both using the\r\nGo programming language. \r\nEncryptor\r\nAs first highlighted by MalwareHunterTeam, BianLian’s custom encryptor was developed in Go. This encryptor also\r\nappears to have been under active development since the BianLian group first came online earlier this year. As the\r\nMalwareHunterTeam noted, the samples highlighted in VirusTotal contain apparent versioning information:\r\njack/Projects/project1/crypt27\r\njack/Projects/project1/crypt28\r\nThe earliest version of the encryption binary we have been able to recover appears to be version 8 and was compiled using\r\nGo version 1.18.2:\r\nSHA256: b60be0b5c6e553e483a9ef9040a9314dd54335de7050fed691a07f299ccb8bc6\r\nAs the actor has evolved this encryptor, so has the text used in the ransom note left behind on a victim’s computers. While\r\nthe file name has remained constant, the level of detail and professionalism of the text has improved over time. \r\nVersion 8 ransom note:\r\nhttps://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/\r\nPage 3 of 12\n\nVersion 27/28 ransom note:\r\nAs was reported by Cyble, BianLian’s custom encryptor operates on a file extension exclusion model. Once again, we can\r\nsee that the actor has made adjustments to their binary in that the file types they target as they attempt to ransom victim\r\nnetworks has changed over time.\r\nCompared to Version 27/28, Version 8 of the encryptor would not exclude .lnk files, but would additionally exclude files\r\nwith the following extensions:\r\n.drv\r\n.bianlian\r\n.mui\r\nCustom Backdoor\r\nIn addition to the encryptor, BianLian has developed a simple yet effective backdoor that they have deployed on machines\r\nwithin victim networks, enabling additional means of access. While some actors choose to deploy a full feature remote\r\naccess tool with a multitude of built-in commands, BianLian’s backdoor is, at the core of it, an efficient mechanism for them\r\nto retrieve an arbitrary payload from their C2 servers, load it into memory and then execute it.\r\nhttps://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/\r\nPage 4 of 12\n\nEach backdoor binary would be configured with a hardcoded IP and Port combination that it will attempt to communicate\r\nwith. As an example, the binary below will attempt to establish a secure connection to 209.141.54[.]205 on port 5307.\r\nSHA256: da7a959ae7ea237bb6cd913119a35baa43a68e375f892857f6d77eaa62aabbaf\r\nWe have observed BianLian deploy multiple backdoors into a victim network with each backdoor configured to either talk\r\nto a unique IP or a common IP but on different ports. Not only did this IP and port diversity provide the actor with multiple\r\nnetwork paths into the victims network, but every binary would have a unique hash, defeating attempts to detect the\r\nbackdoors via a simple checksum-based rule.\r\nInfrastructure\r\nIn investigating BianLian’s infrastructure, it appeared the group prefers Linux-based hosts for their C2 servers, but we have\r\nalso found evidence of Windows servers being utilized in their operations. While we do not have enough evidence to\r\nconfidently identify the C2 software the group is using, we have seen indications that the C2 component is also written in\r\nthe actors preferred language, Go, which would presumably allow them to easily deploy their C2 solution on either OS.\r\nThe number of active C2 nodes has also increased in relative relation to the development of the actor’s toolkit. Based on our\r\nresearch, the earliest known C2 server we have identified, 23.94.56[.]154, first appeared online at the end of December 2021\r\nand remained active until early August of this year. From that initial IP, BianLian appeared to have gradually acquired new\r\nC2 servers, occasionally removing an IP, before reaching approximately ten active servers by the end of July. \r\nStarting in August, we observed what appeared to be a somewhat troubling explosion in the rate by which BianLian was\r\nbringing new C2 servers online. Throughout the month, BianLian continued to add new C2 nodes to their operational\r\ninfrastructure, ending the month with approximately 30 active IPs, a three-fold increase in just a matter of weeks. While we\r\nlack the insight to know the exact cause for this sudden explosion in growth, this may signal that they are ready to increase\r\ntheir operational tempo, though whatever the reason, there is little good that comes from a ransomware operator having\r\nmore resources available to them.\r\nVictimology\r\nAs is the norm for a group conducting double extortion style ransomware attacks, the BianLian group maintained a leak site\r\nwhere they post the data they have exfiltrated from victim networks. While an unfortunate truth in the ransomware space is\r\nthat the true number of organizations and victims of ransomware attacks will never be known, as of September 1, 2022, the\r\nBianLian site has posted details on twenty victim organizations. The threat actor also took the time to categorize the industry\r\nvertical of the victims and tagged the corresponding data.\r\nhttps://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/\r\nPage 5 of 12\n\nThe victim organizations range from small/medium size businesses to a large multinational company, with the majority of\r\nthe companies based in North America, the UK and Australia.\r\nIn the past, BianLian has occasionally posted teaser information on victim organizations, leaving the victims identities\r\nmasked, which may have served as an additional pressure mechanism on the victims in an attempt to have them pay the\r\nactors ransom demand.\r\nWe also note that this is a small sample size and continued observation will be required before drawing significant\r\nconclusions on victimology or any possible preference in targeting by BianLian.\r\nAttribution \r\nWhile there is a long history of seemingly new ransomware groups rising from the ashes of defunct and/or rebranded\r\ngroups, we do not have any indications at this time to suggest that is the case with BianLian. For all intents and purposes, the\r\nBianLian group appears to represent a new entity in the ransomware ecosystem. Furthermore, we assess that the BianLian\r\nactors represent a group of individuals who are very skilled in network penetration but are relatively new to the\r\nextortion/ransomware business. This hypothesis is based in part on our observations of how the BianLian group has\r\nmanaged the business side of a ransomware operation compared to their relative skill level in compromising and navigating\r\nvictim networks. \r\nWhile the actor has proven themselves proficient at compromising a victim network, we have seen the actor:\r\nMistakenly sending data from one victim to another.\r\nPossessing a relatively stable backdoor toolkit, but have an actively developing encryption tool with an evolving\r\nransom note.\r\nLong delays in communications with victims.\r\nThrough the groups own admission on their onion site, the business side of their infrastructure is unreliable.\r\nhttps://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/\r\nPage 6 of 12\n\nNote: There is an Android banking trojan that has been referred to by some researchers as BianLian (a.k.a. Hydra.) To date,\r\nwe have seen no indications that this is related to the BianLian ransomware group. 1 2\r\nRecommendations\r\nWhen mitigating the threat posed by ransomware actors, it is essential to use a layered approach. Focus needs to be placed\r\non reducing your attack surface to avoid the most common types of exploitation techniques, but also preparing to act quickly\r\nand effectively when a compromise inevitably happens. \r\nThis includes ensuring you have:\r\nAn aggressive, prioritized patching regime; \r\nEmploy multi-factor authentication on every system that allows that as an option; \r\nVisibility into your network and endpoint devices to quickly identify breaches; \r\nSecure backups to allow return to business operations as soon as possible; \r\nA well practiced incident response plan so everyone involved knows their role; and\r\nAn assessment of your ‘Crown Jewels’ that can be used to both inform your security posture and decide ahead of an\r\nincident what data you could afford to have leaked so you can avoid paying the ransom.\r\nIn addition to these strategic recommendations, there are multiple opportunities for behavioral detections in the attack chain\r\nleveraged by BianLian:\r\n1. Defense Evasion: Svchost not a child of services.exe\r\nBianLian called one of their LOL tools svchost, then launched it via a process other than services.exe.\r\n2. Defense Evasion: Svchost executing from an unusual path\r\nBianLian called one of their LOL tools svchost.exe, then executed it from a non-standard path. \r\n3. Defense Evasion: Netsh to modify firewall rules\r\nBianLian leveraged netsh to add a firewall rule to open 3389 to Remote Desktop. \r\n4. Reconnaissance: Ping -4 -n 1\r\nBianLian used single pings to perform network reconnaissance. This is a false-positive prone alert.\r\n5. Lateral Movement: Winrm dropping a file via PowerShell\r\nThe binary wsmprovhost.exe is used to mediate the relationship between WinRM and PowerShell. Alerting on\r\nfile modification by wsmprovhost.exe proved a reliable method to detect BianLian dropping malicious files.\r\n6. Lateral Movement: Unknown Binary Established Connection on 3389\r\nIf leveraging an EDR that classifies binaries as known and unknown and ties network connections to binaries,\r\nlooking for 3389 in use by unknown binaries can be extremely fruitful. This rule detects BianLian’s custom\r\nGo backdoor. \r\n7. Credential Access: Account manipulation via net.exe\r\n“Net user” is too loud to alert on in most environments, but we recommend alerting on a threshold of “net\r\nuser” executions. Even a threshold as high as 10 events in 15 minutes would have detected BianLian in the\r\nattacks witnessed.\r\n8. Execution: Unknown binary launching PowerShell\r\nIf leveraging an EDR that classifies binaries as known and unknown, searching for unknown binaries\r\nlaunching PowerShell will frequently detect use of the BianLian backdoor\r\nhttps://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/\r\nPage 7 of 12\n\n9. Defense Evasion: Reg.exe modifying safeboot keys\r\nBianLian added a remote access tool to safeboot keys in order to enable network access for their remote\r\naccess tool in safeboot.\r\nIndicators of Compromise\r\nBackdoors\r\n001f33dd5ec923afa836bb9e8049958decc152eeb6f6012b1cb635cff03be2a2\r\n1a1177363be7319e7fb50ac84f69acb633fd51c58f7d2d73a1d5efb5c376f256\r\n20bab94e6d9c8ed4832ce3b58f9150b16f9e5f40ffdcb747e10366cab5a30352\r\n36281d02e28dd26a1db37ebe36941fc9eb1748868e96b544f227b3b59de51fea\r\n3bdcc81931687abac9e6ba4c80d4d596cebb470c80f56213aa29d3da43925537\r\n50c86fb27bed1962903a5f9d155544e3fdb859ae19e967a10f0bf3a60bb8954f\r\n5d429e05cede806ecea2e99116cac09558fcc0011095201e66c2e65c42f80fcf\r\n64065c29b369881ee36314c0d15e442510027186fd9087aec0f63e22a5c6f24c\r\n6d7009df2fa033f7adc30793ebd5254ef47a803950e31f5c52fa3ead1197599f\r\n8084eddfdb157edf8b1c0cdf8bf4d4e4aaa332fc871c2892aa4113b5148ac63e\r\n8592862cd28bcc23cfbcf57c82569c0b74a70cd7ea70dbdee7421f3fafc7ecaf\r\n86a9b84c6258c99b3c3c5b94a2087bc76a533f6043829ded5d8559e88b97fb2f\r\n9b7a0117a27dc418fbf851afcd96c25c7ad995d7be7f3d8d888fa26a6e530221\r\nbb2e9fd9d60f49f0fc2c46f8254e5617d4ec856f40256554087cda727a5f6019\r\nc0fe7bfb0d1ffeb61fb9cafeeab79ffd1660ff3637798e315ff15d802a3c974e\r\nc7fe3fc6ffdfc31bc360afe7d5d6887c622e75cc91bc97523c8115b0e0158ad6\r\ncd17afd9115b2d83e948a1bcabf508f42d0fe7edb56cc62f5cc467c938e45033\r\nd602562ba7273695df9248a8590b510ccd49fefb97f5c75d485895abba13418d\r\nda7a959ae7ea237bb6cd913119a35baa43a68e375f892857f6d77eaa62aabbaf\r\ndda89e9e6c70ff814c65e1748a27b42517690acb12c65c3bbd60ae3ab41e7aca\r\nde31a4125eb74d0b7cbf2451b40fdb2d66d279a8b8fd42191660b196a9ac468f\r\nf7a3a8734c004682201b8873691d684985329be3fcdba965f268103a086ebaad\r\nEncryptors\r\n1fd07b8d1728e416f897bef4f1471126f9b18ef108eb952f4b75050da22e8e43\r\nb60be0b5c6e553e483a9ef9040a9314dd54335de7050fed691a07f299ccb8bc6\r\ncbab4614a2cdd65eb619a4dd0b5e726f0a94483212945f110694098194f77095\r\neaf5e26c5e73f3db82cd07ea45e4d244ccb3ec3397ab5263a1a74add7bbcb6e2\r\nActive IPs\r\n104.225.129[.]86\r\n104.238.223[.]10\r\n104.238.223[.]3\r\n109.248.6[.]207\r\n13.49.57[.]110\r\n144.208.127[.]119\r\n146.0.79[.]9\r\n157.245.80[.]66\r\n16.162.137[.]220\r\n165.22.87[.]199\r\n172.93.96[.]61\r\n172.93.96[.]62\r\n18.130.242[.]71\r\n185.108.129[.]242\r\n185.225.69[.]173\r\n185.56.80[.]28\r\n185.62.58[.]151\r\nhttps://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/\r\nPage 8 of 12\n\n185.69.53[.]38\r\n192.145.38[.]242\r\n192.161.48[.]43\r\n192.169.6[.]232\r\n37.235.54[.]81\r\n45.9.150[.]132\r\n5.2.79[.]138\r\n51.68.190[.]20\r\n54.173.59[.]51\r\n62.84.112[.]68\r\n64.52.80[.]120\r\n66.135.0[.]42\r\n83.136.180[.]12\r\n85.13.117[.]213\r\n85.13.117[.]218\r\n91.199.209[.]20\r\n95.179.137[.]20\r\nHistorical IPs\r\n104.207.155[.]133\r\n104.238.61[.]153\r\n146.70.44[.]248\r\n155.94.160[.]241\r\n167.88.15[.]98\r\n172.96.137[.]107\r\n188.166.81[.]141\r\n194.26.29[.]131\r\n194.5.212[.]205\r\n194.58.119.159\r\n198.252.108[.]34\r\n202.66.72[.]7\r\n208.123.119[.]145\r\n209.141.54[.]205\r\n23.227.198[.]243\r\n23.94.56[.]154\r\n43.155.116[.]250\r\n45.144.30[.]139\r\n45.92.156[.]105\r\n5.188.6[.]118\r\n5.230.67[.]2\r\n85.13.116[.]194\r\n85.13.117[.]219\r\n89.22.224[.]3\r\nIP Context\r\nActive C2s\r\nIP Address First Seen\r\n104.225.129[.]86 Late July\r\n104.238.223[.]10 Late July\r\n104.238.223[.]3 Late August\r\n109.248.6[.]207 Late August\r\nhttps://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/\r\nPage 9 of 12\n\nIP Address First Seen\r\n13.49.57[.]110 Mid May\r\n144.208.127[.]119 Mid August\r\n146.0.79[.]9 Early February\r\n157.245.80[.]66 Early June\r\n16.162.137[.]220 Mid July\r\n165.22.87[.]199 Late August\r\n172.93.96[.]61 Mid August\r\n172.93.96[.]62 Late August\r\n18.130.242[.]71 Mid July\r\n185.108.129[.]242 Early August\r\n185.225.69[.]173 Mid August\r\n185.56.80[.]28 Early August\r\n185.62.58[.]151 Mid August\r\n185.69.53[.]38 Late May\r\n192.145.38[.]242 Late August\r\n192.161.48[.]43 Mid August\r\n192.169.6[.]232 Mid August\r\n37.235.54[.]81 Late August\r\n45.9.150[.]132 Early August\r\n5.2.79[.]138 Late August\r\n51.68.190[.]20 Late August\r\n54.173.59[.]51 Mid August\r\n62.84.112[.]68 Mid August\r\n64.52.80[.]120 Early August\r\n66.135.0[.]42 Early April\r\n83.136.180[.]12 Early June\r\n85.13.117[.]213 Late August\r\n85.13.117[.]218 Late August\r\n91.199.209[.]20 Mid July\r\n95.179.137[.]20 Late July\r\nHistorical C2s\r\nIP Address First Seen Last Seen\r\n104.207.155[.]133 Early July Early August\r\nhttps://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/\r\nPage 10 of 12\n\nIP Address First Seen Last Seen\r\n104.238.61[.]153 *\r\n146.70.44[.]248 *\r\n155.94.160[.]241 Late July Early August\r\n167.88.15[.]98 Early August Late August\r\n172.96.137[.]107 Early August Mid August\r\n188.166.81[.]141 Early May Late August\r\n194.26.29[.]131 Early August Late August\r\n194.5.212[.]205 Early August Mid August\r\n194.58.119[.]159 Late May Early June\r\n198.252.108[.]34 *\r\n202.66.72[.]7 Mid August Late August\r\n208.123.119[.]145 Late April Late April\r\n209.141.54[.]205 Early August Mid August\r\n23.227.198[.]243 *\r\n23.94.56[.]154 Late December Early August\r\n43.155.116[.]250 Mid August Mid August\r\n45.144.30[.]139 Mid April Early June\r\n45.92.156[.]105 *\r\n5.188.6[.]118 Early August Late August\r\n5.230.67[.]2 Early August Late August\r\n85.13.116[.]194 Mid August Late August\r\n85.13.117[.]219 Early August Late August\r\n89.22.224[.]3 Early August Late August\r\n* These IPs were found in instances of BianLian’s backdoor, but we lack visibility on the timeframe(s) when the IPs may\r\nhave been active.\r\nObserved Command Lines\r\n\"C:\\Windows\\system32\\Dism.exe\" /online /Disable-Feature /FeatureName:Windows-Defender /Remove\r\n/NoRestart\r\n\"C:\\Windows\\system32\\net.exe\" localgroup \"Remote Desktop Users\" \u003csimilar name to existing admin\u003e /add\r\n\"C:\\Windows\\system32\\net.exe\" user \u003clegitimate admin account\u003e 3gDZNxtsQ9G029k7D6Ljxe /domain\r\n\"C:\\Windows\\system32\\netsh.exe\" advfirewall firewall set rule \"group=remote desktop\" new enable=Yes\r\n\"C:\\Windows\\system32\\netsh.exe\" advfirewall firewall add rule \"name=allow RemoteDesktop\" dir=in *\r\nprotocol=TCP localport=3389 action=allow\r\n\"C:\\Windows\\system32\\reg.exe\" add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\"\r\n/* v fAllowToGetHelp /t REG_DWORD /d 1 /f\r\n\"C:\\Windows\\system32\\reg.exe\" add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal *\r\nServer\\WinStations\\RDP-Tcp\" /v UserAuthentication /t REG_DWORD /d 0 /f\r\n\"C:\\Windows\\system32\\reg.exe\" ADD \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Sophos Endpoint\r\n* Defense\\TamperProtection\\Config\" /t REG_DWORD /v SAVEnabled /d 0 /f\r\nhttps://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/\r\nPage 11 of 12\n\n\"C:\\Windows\\system32\\reg.exe\" ADD \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Sophos Endpoint\r\n* Defense\\TamperProtection\\Config\" /t REG_DWORD /v SEDEnabled /d 0 /f\r\n\"C:\\Windows\\system32\\reg.exe\" ADD *\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Sophos\\SAVService\\TamperProtection /t REG_DWORD /v Enabled /d 0\r\n/* f\r\n\"C:\\Windows\\system32\\reg.exe\" copy hklm\\system\\CurrentControlSet\\services\\tvnserver *\r\nhklm\\system\\CurrentControlSet\\control\\safeboot\\network\\tvnserver /s /f\r\n\\cmd.exe /Q /c net user \"Administrator\" /active:yes 1\u003e \\\\127.0.0.1\\C$\\Windows\\Temp\\abjAlC 2\u003e\u00261\r\ncmd.exe /Q /c net user \"Administrator\" ChangeMe2morrow! 1\u003e \\\\127.0.0.1\\C$\\Windows\\Temp\\OxNEcz 2\u003e\u00261\r\ncmd.exe /Q /c quser 1\u003e \\\\127.0.0.1\\C$\\Windows\\Temp\\VXPrvY 2\u003e\u00261\r\n\"C:\\Windows\\system32\\PING.EXE\" -4 -n 1 *\r\n[Ref].Assembly.GetType(‘System.Management.Automation.AmsiUtils’).GetField(‘amsiInitFailed’,’NonPublic,*\r\nStatic’).SetValue($null,$true)\r\nMITRE ATT\u0026CK Techniques\r\nID Technique\r\nT1190 Initial Access: Exploit Public-Facing Application\r\nT1047 Execution: Windows Management Instrumentation\r\nT1059.001 Execution: Command and Scripting Interpreter: PowerShell\r\nT1098 Persistence: Account Manipulation\r\nT1078 Persistence: Valid Accounts\r\nT1562.001 Defense Evasion: Impair Defenses: Disable or Modify Tools\r\nT1526.004 Defense Evasion: Impair Defenses: Disable or Modify System Firewall\r\nT1036 Defense Evasion: Masquerading\r\nT1112 Defense Evasion: Modify Registry\r\nT1069 Discovery: Permission Groups Discovery\r\nT1018 Discovery: Remote System Discovery\r\nT1021.001 Lateral Movement: Remote Services: Remote Desktop Protocol\r\nT1021.005 Lateral Movement: Remote Services: VNC\r\nT1021.006 Lateral Movement: Remote Services: Windows Remote Management\r\nT1090 Command and Control: Proxy\r\nT1071.001 Command and Control: Application Layer Protocol: Web Protocol\r\nT1486 Impact: Data Encrypted for Impact\r\nTools For Researchers\r\nDuring our research, we created some tool modifications for the AlphaGolang project to assist other security community\r\nresearchers in working on the BianLian malware. The specific update is located here.\r\nSource: https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/\r\nhttps://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/"
	],
	"report_names": [
		"bianlian-ransomware-gang-gives-it-a-go"
	],
	"threat_actors": [],
	"ts_created_at": 1775434244,
	"ts_updated_at": 1775826770,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1dacb6de89b62960895f180e39fd62da5e048621.pdf",
		"text": "https://archive.orkl.eu/1dacb6de89b62960895f180e39fd62da5e048621.txt",
		"img": "https://archive.orkl.eu/1dacb6de89b62960895f180e39fd62da5e048621.jpg"
	}
}