BianLian ransomware gang holds Save the Children hostage

NGO Save the Children, one of the world’s oldest and largest charities, has confirmed it has fallen victim to a ransomware attack by the BianLian operation.

First tracked by VX Underground – which stated that the gang needed “to be punched in the face”, a statement with which it is hard to argue – and Brett Callow of Emsisoft, the attack first came to light on Monday 11 September when information on the hit was posted to the gang’s leak site.

BianLian did not initially name Save the Children, but rather claimed to have hit “the world’s leading non-profit organisation, employing around 25,000 staff and operating in 116 countries” with revenue of $2.8bn.

Parts of this description tally with the charity’s own boilerplate, however BianLian’s statement of Save the Children’s financial position appears to be highly inaccurate – the charity’s total income in 2022 was £294m.

It claimed to have stolen 6.8TB of data, including 800GB of the charity’s financial data, human resources information, personal data, including health and medical data, and email correspondence.

Save the Children’s press office was yet to respond to a request for comment at the time of publication, but in a statement circulated to media outlets, it confirmed it had experienced an “IT incident” involving unauthorised access to a part of its network.

“There has been no operational disruption and the organisation continues to function as normal to build a better future for children across the world,” a spokesperson for the charity said.

“We are working hard with external specialists to understand what happened and what data was impacted so we can take all the appropriate next steps. This process is complex and takes time, but remains our absolute priority. Our systems are also secured, and we are confident in the ongoing integrity of our IT infrastructure.

“These types of incidents are a reality that all organisations face, but it is disappointing that Save the Children, whose core purpose is to help those most in need, is also subject to such unwarranted activity. Our investigation is ongoing, and we will continue to work with the relevant authorities. We will get to the bottom of this, and we thank all our staff and supporters for their patience and understanding in the meantime.”

Little is known about the BianLian ransomware gang, and although it takes its name from a style of Chinese opera from Sichuan Province, it is far more likely to be a Russian-speaking operation. It was one of a number of crews to emerge during the course of 2022, coming into the ascendency at about the same time as the likes of Black Basta, Hive and Alphv/BlackCat and establishing itself as a prolific criminal enterprise.

In 2023, it has become one of a number of ransomware gangs to have pivoted away from encrypting its victims’ data, preferring instead to simply steal it and threaten to leak it if not paid off.

According to the US Cybersecurity and Infrastructure Security Agency (CISA), BianLian in general accesses its victims’ systems using valid remote desktop protocol (RDP) credentials, and uses a number of open source tools and command-line scripting for discovery and credential harvesting.

It exfiltrates their data via a number of means, usually via File Transfer Protocol (FTP), and legitimate cloud storage and file transfer services such as Rclone and Mega.

To exert pressure on its victims, it makes a show of printing its ransom note to printers on their networks, and employees of victimised organisations have reported receiving threatening telephone calls from people claiming to be group members.