The ransomware group BianLian seems to be making the most of the festive season by listing victim after victim on its leak site. On December 29, it posted Indian engineering services and consultancy Mitcon.
BianLian ransomware group said in its post that they possess company project details and financial information. They also have business and technical data along with fileserver archives from Mitcon, according to a ThreatMon Threat Intelligence Team tweet.
Actor : BianLian
Victim : MITCON Consultancy & Engineering Services
Date : 2022-12-29 14:18
— ThreatMon Ransomware Monitoring (@TMRansomMonitor) December 29, 2022
The post mentioned that Mitcon has a revenue of $46 million and placed the link to the website https://www.mitconindia.com/. At the time of publishing this news report, the website is accessible, with other pages on the site opening seamlessly.
BianLian’s latest target
Mitcon was founded in 1982 in Maharashtra, India and it now serves major financial institutions besides participating in several sustainable solutions endeavors over the years.
The Indian technical consultancy organization (TCO) offers marketing and financial solutions besides technical consulting and had an assignment with Saudi Arabia with 6 energy audits between 2019 and 2020.
The Cyber Express reached out to Mitcon on the development, but the executives declined to comment on it.
BianLian often target small, medium, and multinational companies and have unknowingly sent the exfiltrated data to other victims reported cybersecurity firm Redacted. They maintain a long pause in responding to its victims after launching a ransomware news attack.
On their leak site, the group has posted industry-wise segmentation of its victims as shown below:
BianLian and tactics to evade detection
“BianLian is GoLang-based ransomware that continues to breach several industries and demand large ransom amounts,” said a Cyble report on the ransomware gang.
The threat actor also use the double extortion method by stealing an affected organization’s files and leaking them online if the ransom is not paid on time.
BianLian attacks its victims by gaining access through vulnerabilities and moving laterally across networks. They leave a ransom note without stating the ransom amount on it and instead make posts on their TOR site.
This group is known to be financially motivated and uses its own Golang encryptors, encryption backdoors, and C2 software. This is to evade detection and escape being found in the endpoint detection and response (EDR) protection while the encryption process is carried out.
BianLian has constantly managed to evolve and evade detection when the network is mapped by employing living-off-the-land (LotL) tactics. Their attack vector comprises gaining initial access, execution, maintaining persistence, evading defense, moving laterally, and encrypting the data.
Researchers advise following an aggressive patching approach in mitigating the impact of BianLian ransomware attacks.
Besides securing backups to not impact business, putting in place a well-practiced incident response plan is also recommended by researchers.