On Wednesday it was announced that about 1.2 terabytes of data from the Basel Department of Education is accessible on the darknet. It is the “prey” of cybercriminals who failed in their blackmail attempt and published the data as a kind of punishment for the victim who was not willing to pay.
Behind the massive data theft is a group that the public knows relatively little about. Swiss IT security expert Marc Ruef, who knows the ransomware gangs inside out, has dealt with “BianLian” and classifies the extraordinary case.
What is special about this group?
The attack on Basel’s education department was made public in late January. It has only been known since this week that the blackmailer gang “BianLian” is behind it.
Security expert Marc Ruef:
As a result, the faction has reduced the complexity of their attacks. But also reduced their own influence in the blackmail approach. They speculate that releasing the data will be painful enough to force victims to pay.
Basically, BianLian’s approach is very professional and efficient. The data captured often spans several terabytes and amounts to a complete compromise.”
Since mid-January there is a so-called decryptor, a utility to decrypt files encrypted by BianLian. This free tool from IT security company Avast may also have been the reason why the unknown criminals fundamentally changed their approach.
Ruef explains:
It should be noted that the criminal plan in the Basel-Stadt case did not succeed. Those responsible assure that they have not paid anything. Reportedly, no negotiations took place at all.
What do you know about the origin of the criminals?
When we investigated BianLian, we noticed that unlike other ransomware actors, Russia was never mentioned in previous reports.
The IT security expert explains:
Its origin is still a mystery. Certain security firms believe they have identified ties to North Korea. Our own research shows that there is common ground with actors from Russia, China, Germany and Spain. A reliable assignment is currently not possible.
So far, the victims have mainly fallen in North America, Western Europe, Australia and India. South America, Africa and Eurasia are not the focus for now. Whether this is due to geopolitical orientation, language or cultural barriers cannot be said at this time. »
The malware is programmed in “Go”, what’s the point for the criminals?
Marc Ruef says:
The long-term advantage of Go is that programs can be easily compiled on different operating systems. So it wouldn’t be surprising if the group also focused on other platforms such as Linux and macOS. However, like most other ransomware gangs, it seems to be focused on Windows at the moment.”
What do we know about the leaked Basel-Stadt data?
Marc Ruef scrutinized the data available on the leak site and highlighted:
The inspection revealed that it concerned “858 ZIP files”, ie compressed data, with “a compromised Windows system per file”.
The security expert explains:
However, the unknown cybercriminals apparently have a hard time offering data made accessible to the victim via a functioning server on the dark web.
Ruf confirms:
How bad is the data breach?
BianLian claims on his own leak page that “HR, finance, accounting, student and employee data” was stolen in the hacker attack on the education department. “The path structures indicate employees, teachers and students,” explains Ruef. There is also certain contract information and so-called NDAs with external partners, ie non-disclosure agreements.
The locally stored documents can be found there. The amount of data is highly dependent on which user has saved how many documents, images, OneNote notes, etc. The contents of the Windows Recycle Bin are also present. Passwords and form data stored in the browser can also be found.”
Can one conclude from the nearly 860 ZIP files mentioned above that there is a corresponding number of PC users affected by the vulnerability?
The IT security expert:
The hackers gained access to the “eduBS” network and spread through security vulnerabilities. The network is available to Basel’s teachers and students and is isolated from the canton’s data network. Accordingly, apparently only the education department is affected by the hacker attack.
For example, grades, learning reports and absences could end up on the dark web, says director of education Cramer. Now the IT team will determine who is affected. These people would be contacted directly.
Those responsible currently assume that the perpetrators were able to penetrate the IT system via a PC that was used for both private and business purposes. Such devices are used, for example, by teachers.
It can be assumed that the data was stolen due to both human and technical errors, says Thomas Wenk, head of digitization and IT at ED. The cyber-attack could have been launched with an innocent-looking phishing email.
The actual hacker attack probably started around the Christmas holidays. He was only noticed when the perpetrators reported to the canton at the end of January with the extortion letter. It must be assumed that at that point they had exhausted their options i.e. stolen large amounts of valuable data.
What is the risk of further attacks?
Marc Ruef has a strong warning:
This clearly shows that the issue of cyber security must be taken seriously and that new vulnerabilities must be addressed as quickly as possible. This is the only way to minimize the time window for successful attacks. If you don’t, you could be a valuable victim of BianLian or another ransomware gang tomorrow.”
Sources
- ed.bs.ch: Cybercriminals publish Ministry of Education data on the dark web (press release)
- avast.io: BianLian ransomware
Source: Watson
I’m Ella Sammie, author specializing in the Technology sector. I have been writing for 24 Instatnt News since 2020, and am passionate about staying up to date with the latest developments in this ever-changing industry.
