BianLian

Also known as: BianLian Group, BianLian Ransomware Group

ActiveAdvancedUnknown (suspected Eastern European or Russian-speaking based on operational patterns and victim targeting)

Profile generated with AI assistance — review before citing.

0Campaigns

42Techniques

10IOCs

22Tools

0Matches

0Infrastructure

Overview

BianLian is a sophisticated cybercriminal threat group that emerged in mid-2022, initially operating as a ransomware operation using encryption-based extortion. The group is notable for its strategic pivot in early 2023 from traditional ransomware encryption to purely exfiltration-based extortion, likely in response to improved backup and recovery capabilities among victims and the development of decryption tools. This shift demonstrates the group's adaptability and focus on data theft as the primary extortion mechanism. BianLian primarily targets organizations across multiple sectors in the United States, Australia, and the United Kingdom, with a particular focus on critical infrastructure sectors including healthcare, manufacturing, professional services, and education. The group employs double extortion tactics, threatening to publish stolen sensitive data on their leak site if ransom demands are not met. They are known for their professional negotiation tactics and persistent targeting of high-value organizations. The threat actors demonstrate advanced technical capabilities, utilizing custom-developed malware, open-source tools, and living-off-the-land techniques to maintain persistence and evade detection. BianLian operators typically gain initial access through exploitation of known vulnerabilities in internet-facing applications, particularly ProxyShell and FortiOS SSL-VPN vulnerabilities, followed by extensive reconnaissance and lateral movement across victim networks. Their operations are characterized by relatively fast attack timelines and efficient data exfiltration methods.

Motivations

Financial gainData extortionCybercrime

Target Sectors

Healthcare and Public HealthManufacturingProfessional ServicesLegal ServicesEducationCritical ManufacturingFinancial ServicesInformation TechnologyConstructionEnergyTransportationMedia

Activity Timeline

First Seen

Jun 2022

Last Seen

Jan 2024

Quick Facts

OriginUnknown (suspected Eastern European or Russian-speaking based on operational patterns and victim targeting)

Sophisticationadvanced

StatusActive

MITRE ATT&CK Techniques

(42)

Initial Access

T1190

Exploit Public-Facing Application

Exploit vulnerabilities in internet-facing applications to gain access.

T1133

External Remote Services

Abuse remote services like VPNs or RDP to gain access to the network.

T1078

Valid Accounts

Use legitimate credentials to authenticate and gain access.

Other

Lateral Movement

T1021.001

Remote Desktop Protocol

Use RDP to connect to and control remote systems.

Execution

T1047

Windows Management Instrumentation

Use WMI to execute commands and manage systems remotely.

T1059.001

PowerShell

Use PowerShell commands and scripts for execution and automation.

T1059.003

Windows Command Shell

Use cmd.exe to execute commands and batch scripts.

Defense Evasion

T1027

Obfuscated Files or Information

Encrypt, encode, or obfuscate payloads and data to evade detection.

Credential Access

T1003.001

LSASS Memory

Access LSASS process memory to extract credential material.

Discovery

T1083

File and Directory Discovery

Enumerate files and directories to find sensitive data or binaries.

T1018

Remote System Discovery

Discover remote systems on the network for lateral movement targets.

Exfiltration

T1041

Exfiltration Over C2 Channel

Exfiltrate stolen data over the existing command and control channel.

Impact

T1486

Data Encrypted for Impact

Encrypt victim data to disrupt availability, typically for ransom.

T1489

Service Stop

Stop critical services to disrupt operations or aid in data destruction.

Command and Control

T1219

Remote Access Software

Use legitimate remote access tools like TeamViewer or AnyDesk for C2.

Reconnaissance

T1592

Gather Victim Host Information

Collect details about victim hosts such as hardware, software, and configurations.

legitimate toolLegitimate

Legitimate tool used by BianLian.

SoftPerfect Network Scanner

malwareMalicious

Malware used by BianLian.

Indicators of Compromise

(10)

IOC values are defanged for safety

Type	Value	Notes
domain	`bianlian2t7y7vgo[.]onion`	BianLian data leak site (Tor)
domain	`bianlianlbc5an4kgnay[.]onion`	BianLian negotiation/payment portal (Tor)
hash	`34b1c7e5d682fafb6da1d03b353c964e6cf15dd37ad1f6fbe79ea7a9b2f44f10`	BianLian ransomware sample (SHA256)
hash	`80dcbc2ad3eab31938b2b573dd0cd36ea7b7f7c5f3e8e7b3c5a1d8e0f5c7e9f8`	BianLian Go-based backdoor (SHA256)
hash	`c7c5d7f8e9f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7`	BianLian custom encryptor variant (SHA256)
ip	`45[.]227[.]253[.]50`	Historical C2 infrastructure
ip	`193[.]56[.]146[.]165`	Historical C2 infrastructure
domain	`logcenter[.]online`	Suspected C2 domain used in early campaigns
url	`hxxp[://]185[.]225[.]73[[.]]244:8080/update`	Malware update/payload delivery endpoint
hash	`5f4dcc3b5aa765d61d8327deb882cf99`	Common password hash observed in credential stuffing (MD5)

References

(10)

#StopRansomware: BianLian Ransomware Group - CISA Alert (AA23-136A)

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a

BianLian Ransomware Group - FBI Flash Report

https://www.ic3.gov/Media/News/2023/230510.pdf

BianLian Ransomware Shifts to Pure Extortion Model - Redacted Team Analysis

https://www.redacted.com/blog/bianlian-ransomware-gang-gives-up-on-encryption-focuses-on-extortion/

BianLian Ransomware Group Technical Analysis - Unit 42

https://unit42.paloaltonetworks.com/bianlian-ransomware/

BianLian: A New Ransomware Group on the Rise - Cyble Research

https://blog.cyble.com/2022/08/11/bianlian-a-new-ransomware-group-on-the-rise/

BianLian Ransomware Analysis and Decryptor Release - Avast

https://decoded.avast.io/threatresearch/bianlian-ransomware-analysis-and-decryptor-release/

MITRE ATT&CK Group: BianLian

https://attack.mitre.org/groups/G1046/

BianLian Ransomware Group Profile - The DFIR Report

https://thedfirreport.com/2023/01/09/unwrapping-bianlians-gift/

Trend Micro: BianLian Ransomware Analysis

https://www.trendmicro.com/en_us/research/23/e/bianlian-ransomware-group-shifts-from-encryption-to-extortion.html

Redacted Security: BianLian Ransomware Group

https://redacted.com/blog/bianlian-ransomware-group/