BianLian ransomware gang holds Save the Children hostage

Table of Contents

The dangerous and prolific BianLian ransomware gang claims to have stolen almost 7TB of data from NGO Save the Children, but thankfully the charity’s vital work on the ground appears to be unaffected

Alex Scroxton,
Security Editor

Published: 13 Sep 2023 14:45

NGO Save the Children, one of the world’s oldest and largest charities, has confirmed it has fallen victim to a ransomware attack by the BianLian operation.

First tracked by VX Underground – which stated that the gang needed “to be punched in the face”, a statement with which it is hard to argue – and Brett Callow of Emsisoft, the attack first came to light on Monday 11 September when information on the hit was posted to the gang’s leak site.

BianLian did not initially name Save the Children, but rather claimed to have hit “the world’s leading non-profit organisation, employing around 25,000 staff and operating in 116 countries” with revenue of $2.8bn.

Parts of this description tally with the charity’s own boilerplate, however BianLian’s statement of Save the Children’s financial position appears to be highly inaccurate – the charity’s total income in 2022 was £294m.

It claimed to have stolen 6.8TB of data, including 800GB of the charity’s financial data, human resources information, personal data, including health and medical data, and email correspondence.

Save the Children’s press office was yet to respond to a request for comment at the time of publication, but in a statement circulated to media outlets, it confirmed it had experienced an “IT incident” involving unauthorised access to a part of its network.

“There has been no operational disruption and the organisation continues to function as normal to build a better future for children across the world,” a spokesperson for the charity said.

“We are working hard with external specialists to understand what happened and what data was impacted so we can take all the appropriate next steps. This process is complex and takes time, but remains our absolute priority. Our systems are also secured, and we are confident in the ongoing integrity of our IT infrastructure.

“These types of incidents are a reality that all organisations face, but it is disappointing that Save the Children, whose core purpose is to help those most in need, is also subject to such unwarranted activity. Our investigation is ongoing, and we will continue to work with the relevant authorities. We will get to the bottom of this, and we thank all our staff and supporters for their patience and understanding in the meantime.”

Little is known about the BianLian ransomware gang, and although it takes its name from a style of Chinese opera from Sichuan Province, it is far more likely to be a Russian-speaking operation. It was one of a number of crews to emerge during the course of 2022, coming into the ascendency at about the same time as the likes of Black Basta, Hive and Alphv/BlackCat and establishing itself as a prolific criminal enterprise.

In 2023, it has become one of a number of ransomware gangs to have pivoted away from encrypting its victims’ data, preferring instead to simply steal it and threaten to leak it if not paid off.

According to the US Cybersecurity and Infrastructure Security Agency (CISA), BianLian in general accesses its victims’ systems using valid remote desktop protocol (RDP) credentials, and uses a number of open source tools and command-line scripting for discovery and credential harvesting.

It exfiltrates their data via a number of means, usually via File Transfer Protocol (FTP), and legitimate cloud storage and file transfer services such as Rclone and Mega.

To exert pressure on its victims, it makes a show of printing its ransom note to printers on their networks, and employees of victimised organisations have reported receiving threatening telephone calls from people claiming to be group members.

Storied charity

Founded in the UK in 1919 to aid the famine-stricken Central Powers of Austria-Hungary and Germany in the wake of the First World War, over its 104-year lifetime Save the Children has grown into one of the largest children’s charities in the world.

Early in its history, it conducted relief operations on the ground in the Soviet Union during a famine in 1923, where it is thought to have saved over half a million lives – a fact apparently lost on the Russia-linked BianLian gang – and it was among the first aid organisations on the ground to assist refugees and survivors of the Nazi concentration camps in 1945.

The charity went on to render assistance in some of the 20th Century’s worst crises, including the Korean War, the Hungarian Revolution of 1956, and the Biafran and Vietnam Wars. It also contributed extensively to the initial draft of what was to become the United Nations (UN) Convention on the Rights of the Child, adopted in 1989.

Currently, it is active in multiple ongoing crises in countries such as Afghanistan, Lebanon, Morocco, Sudan and Ukraine.

Read more on Hackers and cybercrime prevention

Cyber criminals pivot away from ransomware encryption