Fresh warning issued over encryption-less ransomware as notorious threat group shifts tactics

Internet security, virus, big data hacking and malware concept with blurred blue binary code in form of skull symbol on dark background.
(Image credit: Getty Images)

Security agencies have updated their information on notorious ransomware gang BianLian, warning the group has shifted its tactics and is moving away from encryption based attacks.

A cybersecurity advisory issued by the FBI, CISA, and Australia Cyber Security Centre was recently updated on 20 November 2024 to reflect a change in tactics from the group, signaling a potentially wider shift in the digital extortion industry.

The revision warned that although originally known for deploying a double-extortion model, the group appears to have switched to a primarily exfiltration-based extortion technique from around January 2023.

Instead of attempting to encrypt the victim’s systems after initially exfiltrating the data, the new tactic leaves the target environment intact, opting to just use the stolen information to extract a ransom from the breached organization.

As of January 2024, CISA and international counterparts warned that the group was now exclusively leveraging encryption-less ransomware.

Commenting on the update, Darren Williams, CEO and founder at anti-ransomware specialists BlackFog said this switch is part of a growing trend in 2024, with a particular focus on stealing data rather than encrypting it becoming the norm for the vast majority of threat actors

“This continues to be a major trend we have seen through 2024, where 94% of all ransomware now focuses on data exfiltration. This is not a surprise given the value of intellectual property, customer and personal data,” he explained.

“Data exfiltration allows criminals to leverage multiple pathways to secure payment from direct extortion of the victim or the subject of the data themselves. Even if the victims pay there is considerable evidence this is never deleted, but rather traded on the Dark Web for years to come.”

Moving away from encryption saves hackers time and helps avoid detection

Speaking to ITPro, Muhammad Yahya Patel, lead security engineer at Check Point Software, said that exfiltration-only extortion gives attackers added agility as they no longer have to use extra time and resources on developing and deploying encryption malware.

“A significant advantage for attackers in adopting this approach is the reduced reliance on encryption malware,” he explained. “Traditional ransomware operations often require significant resources to infiltrate networks, deploy encryption tools, and maintain persistent control. Exfiltration-based methods, on the other hand, streamline the attack process.”

“Once attackers gain access to sensitive data, they can offload it without needing to control the entire network. This efficiency not only reduces the operational complexity for threat actors but also lowers the chances of detection, as many organisations lack sufficient monitoring tools to detect data exfiltration.

“This gap in visibility enables cybercriminals to operate under the radar, further compounding the challenge for defenders.”

Conversely, Pedro Umbelino, principal research scientist at Bitsight, told ITPro it was too early to call the adoption of exfiltration-only extortion a ‘trend’ but identified why he thinks groups like BianLian have started to use the technique more frequently.

“The few exfiltration-only attacks we’ve seen – for example, Cl0p and BianLian – are not yet frequent enough to be labelled a trend, but such cases are becoming more and more common for several reasons,” he argued.

“Firstly, encryption rarely implies data loss nowadays because many organisations now have robust backups in place from which they can recover more quickly. Plus, we already see data exfiltration as a component in the majority of today’s attacks.”

Umbelino added that the prevalence of fully operational backup and recovery solutions means that encryption attacks are far less effective.

“We also must consider the incentive of a ransomware payout. We know that most companies will pay for ransom despite having fully operational backup and recovery solutions – instead, ransomware payments are driven by the fear of an information leak.

“If most victims are paying for the exfiltrated information regardless, then the threat actor wants to avoid overcomplicating the operation. At the end of the day, ransomware operators are running a business, aiming to unlock profit in the most efficient way possible.”

Solomon Klappholz
Staff Writer

Solomon Klappholz is a Staff Writer at ITPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.