Ransomware Attack on Anniversary Holding Company by BianLian

On August 12, 2024, Anniversary Holding Company, LLC, a prominent investment holding company based in Lafayette, Louisiana, fell victim to a ransomware attack orchestrated by the notorious BianLian group. The attack resulted in a significant data breach, compromising approximately 2.9 terabytes of sensitive information.

About Anniversary Holding Company

Established in 2009 and incorporated in Texas, Anniversary Holding Company operates primarily as an investment holding company. It is classified under "Offices of Holding Companies, NEC," indicating its role in managing investments rather than engaging directly in production or service delivery. The company focuses on a selective portfolio of investments, providing strategic guidance, operational support, and financial resources to its subsidiaries. Despite its significant role in the investment landscape, specific details about its operations and financial metrics are not extensively disclosed.

Attack Overview

The ransomware attack led to the exfiltration of a wide range of critical information, including financial records, human resources data, and information from four of AHCLA's related companies. The breach also affected data pertaining to partners, vendors, and customers, including personally identifiable information (PII) and protected health information (PHI) such as injury reports and medical records. Additionally, the attackers accessed mailboxes and internal and external email correspondence, as well as various databases.

About BianLian

BianLian is a sophisticated ransomware group known for its evolution from a banking trojan to advanced ransomware operations. The group employs extortion-based strategies, initially gaining access through compromised Remote Desktop Protocol (RDP) credentials. BianLian uses custom backdoors, PowerShell, and Windows Command Shell for defense evasion, and various tools for discovery, lateral movement, collection, exfiltration, and impact. The group has a global reach, with a higher concentration of attacks in North America and Europe, particularly targeting sectors with sensitive data and financial capacity.

Penetration and Vulnerabilities

The attack on Anniversary Holding Company underscores the vulnerabilities that investment holding companies face, particularly those with extensive digital records and sensitive information. The lack of extensive public engagement and detailed operational disclosures may have contributed to the company's vulnerability, as threat actors like BianLian often exploit such gaps. The group's sophisticated tactics, including the use of compromised RDP credentials and custom backdoors, highlight the need for enhanced cybersecurity measures to protect against such advanced threats.

Sources

• Anniversary Holding Company, LLC
• Threat Actor Profile: BianLian
• CISA Cybersecurity Advisories
• BianLian Ransomware Group Threat Assessment