THREAT ACTOR

BianLian

6.5
THREAT LEVEL
EMERGENCE DATE
Jun 2022
CATEGORY
Data Extortion Operation
AFFILIATIONS

Confirmed Russia-based operation with multiple Russian affiliates

DEscription

BianLian emerged in June 2022 and, at one time, was one of the most active ransomware groups targeting US and European targets. After its code leaked in 2023, the group abandoned file encryption to focus exclusively on data theft and extortion. Recognized for aggressive tactics including printing ransom notes on compromised network printers and issuing direct threats to employees and stakeholders, the group demonstrated adaptability through custom Go-coded backdoors and advanced evasion techniques.

CRITICALITY
Assesses the importance of the potential target, including their size/scale, data's value, and operational impact.
lethality
Evaluates the potential for damage from the attack, including the ability to disrupt operations, and cause financial loss, damage public brand image.
AGGRESSIVENESS
Assesses the psychological and tactical intensity of the group’s behavior, including targeted harassment, violent language, blackmail, and political motives.

Classifications & Affiliations

Type: Closed Group | Data Extortion Only

BianLian maintained centralized control without affiliate infrastructure or revenue sharing. Following the release of a public decryptor in late 2023, the group transitioned from traditional ransomware to data exfiltration only. This private group model enabled direct victim engagement through aggressive tactics including printer hijacking and threatening phone calls. Confirmed Russian origins with infrastructure dependencies on sanctioned hosting provider Aeza Group distinguished the operation, while proprietary Go-coded tools and custom backdoors demonstrated internal development capabilities absent from traditional RaaS operations.

Current Status: Last claimed an attack in March 2025

Threat Level:
6.5

Origins and Methodology

Drawing its name from the traditional Chinese art of "face-changing", BianLian's transition from traditional encryption-based attacks to pure data extortion demonstrated strategic adaptation to defensive improvements and decryptor availability. This flexibility positioned them as a threat actor focused on maximizing operational impact through reputational damage rather than system disruption.

The group's operational maturity manifested through custom-developed tools, calculated victim selection, and refined extortion tactics that exploited organizational fears of regulatory violations and brand damage. This strategic pivot showcased an understanding of modern business vulnerabilities beyond technical systems.

What is the Evolution of BianLian Ransomware?
0.1
Formation

BianLian first appeared in June 2022, emerging at the same time as many other groups that sought to capitalize on opportunities created by the dissolution of major ransomware operations. Initial operations demonstrated advanced techniques while focusing on critical infrastructure sectors, establishing the group as a notable threat actor within months of emergence.

0.2
EVOLUTION

Initially, the threat actor employed a double extortion model that combined AES-256 encryption with data exfiltration, appending .bianlian extensions to encrypted files. After a free decryptor was released in 2023, the group pivoted completely to pure exfiltration-based extortion. This shift demonstrated their operational flexibility through custom tools and victim-specific malware deployment. They abandoned encryption tactics in favor of leveraging reputational threats and regulatory compliance fears.

0.3
Lineage/Connections

Functioning autonomously, the group exhibited tactical parallels with data extortion operations that branched from larger ransomware enterprises. Intelligence indicated tool sharing with RansomHub, Medusa, and Play operations, specifically EDR-killing utilities. Infrastructure dependencies included sanctioned hosting provider Aeza Group, confirming reliance on resilient services favored by Russian-speaking threat actors.

Which Unique Techniques Does BianLian Use?

The group's technical approach combines traditional attack vectors with custom-developed tools, demonstrating operational maturity through refined tactics and strategic tool selection.

TECHNIQUE

DETAILS

Infection Vectors

Primary access occurred through phishing campaigns delivering malicious attachments (T1566), active exploitation of ProxyShell vulnerabilities, and compromised RDP credentials (T1078) sourced from Initial Access Brokers. Recent campaigns actively exploited SAP NetWeaver zero-day flaws (T1190), targeting enterprise resource planning systems. The group leveraged VPN gateway misconfigurations and targeted organizations with inadequate multi-factor authentication (MFA) implementations.

Target Selection

Healthcare organizations faced heightened targeting due to patient safety implications and operational criticality. Government entities attracted focus for classified and sensitive citizen data repositories. Professional services firms, encompassing legal and accounting practices, experienced risks from proprietary client information exposure. Manufacturing sectors increasingly encountered threats through SAP system exploitation campaigns, with geographic focus spanning North America, Europe, and Asia-Pacific regions.

Operational Complexity

Advanced capabilities manifested through obfuscated binaries, UPX-packing for detection evasion, and strategic deployment of legitimate tools including AnyDesk and TeamViewer for operational camouflage. Comprehensive network reconnaissance preceded data exfiltration, while custom Go-coded backdoors ensured persistent access. Development centered on Go for custom malware creation, complemented by PowerShell for reconnaissance, lateral movement (T1570), and operational automation.

Key Features & Technical Details

The group's technical architecture reflects strategic adaptation to modern defensive capabilities and emphasis on data-centric extortion methodologies.

FEATURE

DETAILS

Encryption Method

None - transitioned to exfiltration-only model by January 2024

File Extension

.bianlian (legacy, no longer used)

Ransom Note

Delivered via compromised network printers and direct employee contact

Double Extortion

Pure data exfiltration without encryption, leveraging exposure threats

Communication Channels

.onion negotiation platforms, direct phone calls to victims

Deployment Speed

Variable based on reconnaissance depth, typically 48-72 hours

Payment Method

Bitcoin exclusively, demands range $250,000 to several million

Operational Model

Closed group structure, non-RaaS with internal tool development

Activities

BianLian maintained global operations targeting public and private sector organizations across continents. Ranked among the most prolific data extortion operations worldwide, the group sustained consistent attack volume with calculated victim selection based on data sensitivity and organizational vulnerability to reputational damage.

Which Industries Are Most Vulnerable to BianLian?

When the threat actor was active, healthcare organizations were highly susceptible due to patient safety implications, regulatory compliance requirements, and operational criticality that amplified extortion leverage, while government entities faced similar targeting for sensitive information repositories and citizen data that created political pressure.

Beyond public sector targets, professional services firms, particularly legal and accounting practices, experienced heightened risk from client confidentiality breaches and fiduciary responsibilities. This pattern extended to manufacturing sectors which increasingly encountered threats through SAP system exploitation, with the group recognizing enterprise resource planning systems as critical business infrastructure creating operational dependencies.

HAL Most Recent Attacks

Modus Operandi

BianLian executes calculated attack chains emphasizing stealth, persistence, and comprehensive data acquisition before initiating extortion communications.

Details

Exploited ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) in unpatched Exchange servers. Leveraged phishing campaigns with malicious attachments targeting specific employees. Purchased RDP credentials from Initial Access Brokers for direct network entry. Actively exploited SAP NetWeaver zero-day (CVE-2025-31324) for enterprise system compromise.

Details

Conducted comprehensive network reconnaissance using PowerShell scripts and built-in Windows utilities. Mapped Active Directory structures to identify high-value targets and administrative accounts. Located sensitive data repositories through automated scanning tools and manual exploration.

Details

Deployed legitimate tools including AnyDesk and TeamViewer for operational camouflage. Installed custom Go-coded backdoors for persistent access. Utilized modified Rsocks for SOCKS5 tunneling and Ngrok for traffic obfuscation.

Details

Implemented UPX packing on malware binaries for signature evasion. Disabled antivirus systems through PowerShell commands and Group Policy modifications. Leveraged living-off-the-land techniques using legitimate Windows utilities. Cleared event logs and modified timestamps to obscure activity timelines.

Details

Harvested credentials using custom modules and Mimikatz variants. Targeted Local Security Authority (LSA) secrets and cached domain credentials. Exploited ZeroLogon vulnerability (CVE-2020-1472) for domain controller compromise.

Details

Established C2 infrastructure through compromised web servers and cloud services. Implemented HTTPS encryption for communication channels. Utilized .onion domains for negotiation platforms ensuring anonymity.

Details

Executed movement through PsExec and SMB protocols using harvested credentials. Created domain admin accounts for unrestricted network access. Leveraged WMI and PowerShell remoting for stealthy propagation.

Details

Deployed Rclone, MegaSync, and FTP for large-scale data transfer. Staged data in temporary locations before exfiltration to avoid detection. Implemented bandwidth throttling to prevent network anomalies. Prioritized high-value data including PII, financial records, and intellectual property.

Details

Installed webshells on Exchange servers for long-term access. Created Azure AD accounts in cloud environments. Modified scheduled tasks and registry keys for backdoor execution. Established multiple persistence mechanisms across different system levels.

Details

Focused exclusively on data exposure threats causing reputational, financial, and legal consequences. Created operational disruption through extortion pressure without system encryption. Exploited GDPR, HIPAA, and other regulatory frameworks to amplify victim concerns.

Details

No encryption deployment since transition to pure data extortion model.

Details

Initiated contact through printed ransom notes on network printers. Conducted threatening phone calls to executives and employees. Established deadlines with escalating data release threats. Leveraged regulatory compliance fears and reputational damage concerns.

Details

Removed forensic artifacts including prefetch files and event logs. Deleted custom tools and scripts from compromised systems. Modified timestamps to complicate forensic timeline reconstruction.

Indicators of Compromise (IOCs)

Key indicators facilitate detection of BianLian operations within networks, particularly specific file hashes, network infrastructure, and behavioral patterns associated with their custom tools.

INDICATOR

DETAILS

File Hashes

SHA256: [hash] for def.exe custom backdoor implementation
SHA256: [hash] for encryptor.exe legacy encryption tool
SHA256: [hash] for exp.exe ZeroLogon exploitation utility
SHA256: [hash] for system.exe credential harvesting module

IP Addresses

184.174.96.74 (reverse proxy services)
184.174.96.70 (associated infrastructure)

Domains/URLs

.onion negotiation platforms (specific addresses vary per campaign)

File Paths

C:\ProgramData (common backdoor installation directory)
C:\Windows\Temp (staging location for exfiltration)

File Extensions

.bianlian (legacy, no longer actively used)

Exploits and Vulnerabilities

BianLian leverages critical vulnerabilities in enterprise systems, particularly targeting unpatched Exchange servers and SAP implementations to establish initial foothold and maintain persistence.

EXPLOITS AND VULNERABILITIES

CVE

CVSS

DESCRIPTION

SAP NetWeaver Visual Composer

CVE-2025-31324

10.0

Enables remote code execution through unrestricted file upload permitting JSP webshell deployment

ProxyShell - Microsoft Exchange Server

CVE-2021-34473

9.8

Facilitates remote code execution by exploiting authentication handling flaws

ProxyShell - Microsoft Exchange Server

CVE-2021-34523

9.8

Permits privilege escalation during exploitation sequences

ProxyShell Chain Component

CVE-2021-31207

7.2

Allows security control bypass facilitating comprehensive server compromise

ZeroLogon - Netlogon

CVE-2020-1472

10.0

Enables domain controller compromise through cryptographic implementation flaws

Additional attack vectors encompass VPN gateway misconfigurations, inadequate MFA implementations, and exposed public-facing applications lacking current security patches.