BianLian ransomware actors are likely based in Russia and have multiple Russia-based affiliates, according to new information shared by the FBI and Australian law enforcement. 

BianLian has drawn scrutiny for attacks on charities like Save The Children as well as healthcare firms like Boston Children’s Health Physicians. On Tuesday, the gang took credit for an attack on Amherstburg Family Health Team — a Canadian healthcare company that said it is currently experiencing delays due to technical issues with its phone system. 

The FBI and Australian Cyber Security Centre on Wednesday published an updated advisory on the group, warning that the gang has shifted its tactics and is now moving toward extorting companies with stolen data instead of fully encrypting systems. The group has exclusively focused on exfiltration-based extortion since January.

The advisory notes that like many ransomware gangs, the likely Russia-based group has used its name “to misattribute location and nationality by choosing foreign-language names, almost certainly to complicate attribution efforts.” 

The group has been seen targeting public-facing applications of both Windows and ESXi infrastructure, possibly leveraging the popular ProxyShell vulnerabilities — CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 — to gain initial access.

The agencies also saw BianLian actors exploiting vulnerabilities like CVE-2022-37969, which affects Windows 10 and 11. 

The group uses a range of other tools to move through breached systems, steal data and cause confusion among incident responders trying to stop them. 

In one instance, the agencies saw BianLian create multiple administrator accounts within a victim’s system to more easily move across a network and maintain access. 

Before 2024, the group typically used an encryptor to change all affected files into having the .bianlian extension. The encryptor also created a ransom note.

“Newer ransomware notes state BianLian group has exfiltrated data and threaten to leak the exfiltrated data if the ransom is not paid,” the FBI said.  

“The ransom notes provide the Tox ID…which directs the victim organization to a Tox chat and includes an alternative contact email addresses n0torious@onionmail[.]org and xwikipedia@onionmail[.]org.”

The group has also sought to put further pressure on victims by printing ransom notes in company printers and by even calling employees to threaten them. 

Two weeks ago, the UN Security Council held a hearing on ransomware where the head of the UN health agency spoke at length about the outstanding danger ransomware attacks pose to international security.

“Let’s be clear… ransomware and other cyberattacks on hospitals and other health facilities are not just issues of security and confidentiality; they can be issues of life and death,” he stressed.

White House official Anne Neuberger, who represented the U.S. at the meeting, said about $1.3 billion in ransoms were paid in the U.S. alone in 2023.