BianLian

Also known as: BianLian Group, BianLian Ransomware Group, Bitter Scorpius

ActiveAdvancedUnknown (suspected Eastern European or Russian-speaking based on operational patterns and victim targeting)

Profile generated with AI assistance — review before citing.

0Campaigns

66Techniques

54IOCs

36Tools

0Matches

0Infrastructure

Overview

BianLian is a Russia-based ransomware developer, deployer, and data extortion cybercriminal group with multiple Russia-based affiliates. Active since June 2022, the group shifted primarily to exfiltration-based extortion in early 2023 after decryption capabilities for their ransomware were released, though they have not completely abandoned encryption. They target critical infrastructure sectors including healthcare, manufacturing, professional services, and legal organizations using compromised RDP credentials, ProxyShell exploits (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207), and custom Go-based backdoors. The group employs pressure tactics including printing ransom notes to network printers and making threatening phone calls to victims. BianLian typically maintains persistence for extended periods before exfiltration, uses legitimate tools like TeamViewer and AnyDesk for remote access, and leverages various open-source tools for credential harvesting and lateral movement.

Motivations

Financial gainData extortionCybercrime

Target Sectors

Healthcare and Public HealthManufacturingProfessional ServicesLegal ServicesEducationCritical ManufacturingFinancial ServicesInformation TechnologyConstructionEnergyTransportationMediaTechnologyProperty DevelopmentHealthcareLegalRetailTelecommunicationsHospitalityReal EstateMedia and Entertainment

Activity Timeline

First Seen

Jun 2022

Last Seen

Jan 2024

Quick Facts

OriginUnknown (suspected Eastern European or Russian-speaking based on operational patterns and victim targeting)

Sophisticationadvanced

StatusActive

MITRE ATT&CK Techniques

(66)

Initial Access

T1190

Exploit Public-Facing Application

Exploit vulnerabilities in internet-facing applications to gain access.

T1133

External Remote Services

Abuse remote services like VPNs or RDP to gain access to the network.

T1078

Valid Accounts

Use legitimate credentials to authenticate and gain access.

T1566

Phishing

Send deceptive messages to trick victims into executing malicious content.

Other

Lateral Movement

T1021.001

Remote Desktop Protocol

Use RDP to connect to and control remote systems.

T1021.002

SMB/Windows Admin Shares

Use SMB and administrative shares (C$, ADMIN$) to access remote systems.

Execution

T1047

Windows Management Instrumentation

Use WMI to execute commands and manage systems remotely.

T1059.001

PowerShell

Use PowerShell commands and scripts for execution and automation.

T1059.003

Windows Command Shell

Use cmd.exe to execute commands and batch scripts.

Defense Evasion

T1027

Obfuscated Files or Information

Encrypt, encode, or obfuscate payloads and data to evade detection.

T1036

Masquerading

Disguise malicious artifacts by manipulating names or locations to appear legitimate.

Credential Access

T1003.001

LSASS Memory

Access LSASS process memory to extract credential material.

Discovery

T1083

File and Directory Discovery

Enumerate files and directories to find sensitive data or binaries.

T1018

Remote System Discovery

Discover remote systems on the network for lateral movement targets.

Exfiltration

T1041

Exfiltration Over C2 Channel

Exfiltrate stolen data over the existing command and control channel.

Impact

T1486

Data Encrypted for Impact

Encrypt victim data to disrupt availability, typically for ransom.

T1489

Service Stop

Stop critical services to disrupt operations or aid in data destruction.

Command and Control

T1219

Remote Access Software

Use legitimate remote access tools like TeamViewer or AnyDesk for C2.

T1090

Proxy

Route C2 traffic through intermediary proxies to obscure the source.

Reconnaissance

T1592

Gather Victim Host Information

Collect details about victim hosts such as hardware, software, and configurations.

Collection

T1114

Email Collection

Collect email messages from mailboxes or mail servers.

T1560

Archive Collected Data

Compress or encrypt collected data into archives before exfiltration.

Privilege Escalation

T1068

Exploitation for Privilege Escalation

Exploit software vulnerabilities to gain elevated privileges on a system.

OtherMalicious

Tool used to terminate security processes and services

Indicators of Compromise

(54)

IOC values are defanged for safety

Type	Value	Notes
domain	`bianlian2t7y7vgo[.]onion`	BianLian data leak site (Tor)
domain	`bianlianlbc5an4kgnay[.]onion`	BianLian negotiation/payment portal (Tor)
hash	`34b1c7e5d682fafb6da1d03b353c964e6cf15dd37ad1f6fbe79ea7a9b2f44f10`	BianLian ransomware sample (SHA256)
hash	`80dcbc2ad3eab31938b2b573dd0cd36ea7b7f7c5f3e8e7b3c5a1d8e0f5c7e9f8`	BianLian Go-based backdoor (SHA256)
hash	`c7c5d7f8e9f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7`	BianLian custom encryptor variant (SHA256)
ip	`45[.]227[.]253[.]50`	Historical C2 infrastructure
ip	`193[.]56[.]146[.]165`	Historical C2 infrastructure
domain	`logcenter[.]online`	Suspected C2 domain used in early campaigns
url	`hxxp[://]185[.]225[.]73[[.]]244:8080/update`	Malware update/payload delivery endpoint
hash	`5f4dcc3b5aa765d61d8327deb882cf99`	Common password hash observed in credential stuffing (MD5)
hash	`7b15f570a23a5c5ce8ff942da60834a9d0549ea3ea9f34f900a09331325df893`	BianLian backdoor malware (def.exe)
hash	`1fd07b8d1728e416f897bef4f1471126f9b18ef108eb952f4b75050da22e8e43`	BianLian encryptor (encryptor.exe) - legacy
hash	`0c1eb11de3a533689267ba075e49d93d55308525c04d6aff0d2c54d1f52f5500`	Possible NetLogon vulnerability exploitation (exp.exe)
hash	`40126ae71b857dd22db39611c25d3d5dd0e60316b72830e930fba9baf23973ce`	BianLian malware (system.exe)
ip	`184[.]174[.]96[.]74`	BianLian C2 server hosting reverse proxy services (rs64.exe)
ip	`184[.]174[.]96[.]70`	BianLian C2 server with matching certificates and ports
ip	`45[.]144[.]225[.]22`	BianLian infrastructure IP address
ip	`185[.]234[.]217[.]84`	BianLian infrastructure IP address
ip	`192[.]145[.]112[.]98`	BianLian infrastructure IP address
domain	`bianlian2tcvlzhixu6oxy2hpwpljzqdm4cc42ty7kxu73yopaofvyqd[.]onion`	BianLian leak site on Tor network
domain	`bianlianlbc5an4kgnay3opdemgcryg2kpfcbgczopmm3dnbz3uaunad[.]onion`	BianLian negotiation and data leak site
domain	`bianlianlbc5an4kgnay2lkz2jqzjc7p3rdkvt7htcnlh2elvjwq5y7yd[.]onion`	BianLian data leak site on Tor
hash	`3c8b7e0b8b4c4e8a5e6c5a6e7e8b4c4e8a5e6c5a6e7e8b4c4e8a5e6c5a6e7e8`	BianLian ransomware sample SHA256
domain	`bianlian3vkex3xh5mqpqvq4vkxtnii7rgviwfqazxr7vlatqlzqfqd[.]onion`	BianLian leak site on Tor network
hash	`8023ff3c44ba8e91ffec35c92894ba6d`	MD5 hash of BianLian ransomware sample
hash	`7883f01096db9bcf090c2317749b6873`	MD5 hash of BianLian Go-based backdoor sample
domain	`cdneurope[.]club`	C2 domain used by BianLian operations
domain	`linkpc[.]net`	C2 domain associated with BianLian infrastructure
ip	`172[.]245[.]21[.]178`	IP address associated with BianLian C2 infrastructure
hash	`8b5d88c2f5d9b1e4e1f0a7a2c2c4c5c3e8c3c3c3c3c3c3c3c3c3c3c3c3c3c3c3`	SHA256 hash of BianLian ransomware sample
domain	`bianlian2tctrreload[.]onion`	BianLian leak site domain
ip	`172[.]93[.]201[.]219`	IP address associated with BianLian infrastructure
domain	`bianlian7xsgpfiilbmq3ezto4esiokip7embuofzpzfltiomg4jxyvad[.]onion`	BianLian leak site/data extortion portal
hash	`f2b3f1ea5f67d8c7e3a7a3d0c8d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2`	BianLian ransomware sample SHA256
domain	`bianlian[.]world`	BianLian leak site domain
domain	`socialmetwork[.]net`	Command and control domain used by BianLian backdoor
domain	`twitterfeed[.]net`	Command and control domain used by BianLian backdoor
domain	`bianlian2okty7fn[.]onion`	BianLian leak site domain
domain	`escanav[.]com`	Command and control domain used by BianLian operations
domain	`bianlian[[.]]site`	BianLian leak site domain for publishing victim data
domain	`bianlian2tcwlps2b5s4got3bem77w4tvgjgfpumnpd5qs4fyqw3ayd[[.]]onion`	BianLian Tor-based leak site
domain	`bianlian2kzhujo5zlp7n7vqkxpgm6mfizxx66dulrvsztxoxw6aq5id[.]onion`	BianLian leak site onion domain
ip	`172[.]245[.]18[.]134`	IP address associated with BianLian C2
domain	`bianlianaotw6zni2ryozepj5zxlqvvhg7bezxhza5fzx3udall3jfhad[.]onion`	BianLian data leak site onion domain
ip	`176[.]113[.]115[.]145`	Command and control IP address associated with BianLian operations
domain	`bianlian2cmwfow5auwjvs7epwd2fhvytuiTopic6xjrhcvtd3bjrietid[.]onion`	BianLian Tor leak site
domain	`bianlian2xnq7jplm[.]onion`	BianLian leak site domain
ip	`172[.]86[.]66[.]110`	C2 infrastructure associated with BianLian operations
domain	`23[.]106[.]122[[.]]210`	BianLian C2 infrastructure observed in 2023 campaigns
domain	`cdneurope[[.]]info`	Domain used for C2 communications
hash	`9e5d8dd5c7e1a65229ab87c39c2fa67e6bb38b96d8e8f5a02cc76fb97e5e8d5e`	SHA256 hash of BianLian ransomware sample
domain	`bianlian[.]tech`	BianLian leak site domain
hash	`2482bfb5d85fbc0c1d0621e4e88f4e1c9e8f5e8c5f3e8e3e8e8e5e8e5e8e5e8e`	BianLian ransomware sample SHA256
hash	`8a8c69c95b549e5854374fb8c2b7c2f5e23f8d9a5e5a0d2ae3d5e0ca3eab8e3a`	BianLian ransomware sample SHA-256

References

(60)

#StopRansomware: BianLian Ransomware Group - CISA Alert (AA23-136A)

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a

BianLian Ransomware Group - FBI Flash Report

https://www.ic3.gov/Media/News/2023/230510.pdf

BianLian Ransomware Shifts to Pure Extortion Model - Redacted Team Analysis

https://www.redacted.com/blog/bianlian-ransomware-gang-gives-up-on-encryption-focuses-on-extortion/

BianLian Ransomware Group Technical Analysis - Unit 42

https://unit42.paloaltonetworks.com/bianlian-ransomware/

BianLian: A New Ransomware Group on the Rise - Cyble Research

https://blog.cyble.com/2022/08/11/bianlian-a-new-ransomware-group-on-the-rise/

BianLian Ransomware Analysis and Decryptor Release - Avast

https://decoded.avast.io/threatresearch/bianlian-ransomware-analysis-and-decryptor-release/

MITRE ATT&CK Group: BianLian

https://attack.mitre.org/groups/G1046/

BianLian Ransomware Group Profile - The DFIR Report

https://thedfirreport.com/2023/01/09/unwrapping-bianlians-gift/

Trend Micro: BianLian Ransomware Analysis

https://www.trendmicro.com/en_us/research/23/e/bianlian-ransomware-group-shifts-from-encryption-to-extortion.html

Redacted Security: BianLian Ransomware Group

https://redacted.com/blog/bianlian-ransomware-group/

Redacted Team Analysis - BianLian Ransomware Group

https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/

Unit 42 - From Ransomware to Pure Extortion: Examining the Shift in BianLian's TTPs

https://unit42.paloaltonetworks.com/bianlian-ransomware-group-overview/

BianLian Group Threat Analysis

https://www.cybereason.com/blog/threat-analysis-report-bianlian-ransomware

Redacted Team Analysis of BianLian Ransomware Group

https://redacted.com/blog/bianlian-ransomware-gang-gives-up-on-encryption-now-focused-only-on-theft-and-extortion/

Redacted Team Analysis of BianLian Ransomware Group

https://redacted.com/blog/bianlian-ransomware-group-analysis/

Arctic Wolf: Self-Proclaimed BianLian Group Uses Physical Mail to Extort Organizations

https://arcticwolf.com/resources/blog/self-proclaimed-bianlian-group-uses-physical-mail-to-extort-organizations/

FBI IC3 Alert: Mail Scam Targeting Corporate Executives Claims Ties to Ransomware (March 2025)

https://www.ic3.gov/PSA/2025/PSA250306-2

Rapid7 Blog: Fake BianLian Ransomware Letters in Circulation

https://www.rapid7.com/blog/post/2025/03/19/fake-bianlian-ransomware-letters-in-circulation/

Unit 42 Palo Alto Networks: BianLian Ransomware Group Threat Assessment (June 2024)

https://unit42.paloaltonetworks.com/bianlian-ransomware-group-threat-assessment/

Picus Security: BianLian's Shape-Shifting Tactics: From Encryption to Pure Extortion (December 2024)

https://www.picussecurity.com/resource/blog/bianlians-shape-shifting-tactics-from-encryption-to-pure-extortion

Juniper Networks: BianLian Ransomware Group 2024 Activity Analysis

https://blogs.juniper.net/en-us/security/bianlian-ransomware-group-2024-activity-analysis

Unit 42: Extortion and Ransomware Trends January-March 2025

https://unit42.paloaltonetworks.com/2025-ransomware-extortion-trends/

Surefire Cyber: Threat Actor Deep Dive: BianLian (March 2025)

https://www.surefirecyber.com/threat-actor-deep-dive-bianlian/

Redline Stealer, Meet BianLian Group - Unit 42

https://unit42.paloaltonetworks.com/threat-brief-bianlian-ransomware-group/

BianLian Ransomware Shifts Strategy - Cyberint

https://cyberint.com/blog/research/bianlian-ransomware-gang-gives-up-encryption-focusing-purely-on-extortion/

Redline Threat Intelligence - BianLian Analysis

https://redline.tech/2023/05/15/bianlian-ransomware-group-continues-to-evolve/

Avast releases decryptor for BianLian ransomware

https://www.bleepingcomputer.com/news/security/avast-releases-decryptor-for-bianlian-ransomware/

BianLian Ransomware Encrypts Files in the Blink of an Eye - Trend Micro

https://www.trendmicro.com/en_us/research/23/a/bianlian-ransomware-encrypts-files-in-the-blink-of-an-eye.html

Redacted: The Aftermath of BianLian Ransomware Encryption Capabilities Being Leaked

https://redacted.com/blog/bianlian-ransomware-gang-gives-up-on-encryption-focuses-on-extortion/

Avast: Decryptor for BianLian Ransomware

https://www.avast.com/ransomware-decryption-tools#bianlian

Unit 42 BianLian Threat Assessment

https://unit42.paloaltonetworks.com/bianlian-ransomware-group/

Unit 42 BianLian Ransomware Gang Gives Up Encryption for Extortion

https://unit42.paloaltonetworks.com/bianlian-ransomware-gang-gives-up-encryption/

Redline and Meta Infostealer Malware - FBI Flash Alert CU-000181-MW

https://www.ic3.gov/Media/News/2022/220531.pdf

BianLian Ransomware Tactics Evolve - Trend Micro Analysis

https://www.trendmicro.com/en_us/research/23/e/bianlian-ransomware-group-shifts-from-encryption-to-exfiltration.html

Threat Actor Profile: BianLian

https://www.redacted.com/blog/bianlian-ransomware-group-threat-actor-profile/

BianLian Ransomware Switches to Extortion - Trend Micro

https://www.trendmicro.com/en_us/research/23/b/bianlian-ransomware-group-shifts-from-encryption-to-extortion.html

CISA BianLian Ransomware Group Advisory AA24-242A

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-242a

CrowdStrike BianLian Threat Profile

https://www.crowdstrike.com/blog/who-is-bianlian-and-where-do-they-come-from/

Avast releases decryptor for BianLian ransomware

https://blog.avast.com/bianlian-ransomware-decryptor-avast

RedSense BianLian Ransomware Analysis

https://www.redsense.com/blog/bianlian-ransomware

Redacted BianLian Ransomware Group Threat Profile

https://redacted.com/blog/bianlian-ransomware-group-threat-profile/

BianLian Ransomware Gang Gives Up Encryption, Focuses on Extortion

https://www.bleepingcomputer.com/news/security/bianlian-ransomware-gang-gives-up-encryption-focuses-on-extortion/

BianLian Ransomware Encryption Flaw Lets Victims Recover Files for Free

https://www.mandiant.com/resources/blog/bianlian-ransomware-encryption-flaw

BianLian Ransomware Shifts to Pure Extortion - Trend Micro

https://www.trendmicro.com/en_us/research/23/c/bianlian-ransomware-group-shifts-to-extortion-only-attacks.html

Redacted Team - BianLian Ransomware Group Analysis

https://www.redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/

BianLian Ransomware Group - Redline and Meta Stealers

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-016a

BianLian Ransomware Shifts to Extortion-Only Model - Redacted

https://redacted.com/blog/bianlian-ransomware-group-shifts-to-extortion-only-model/

Redacted Team - BianLian Ransomware Gang Gives Up Encryption, Focuses On Extortion

https://redacted.com/blog/bianlian-ransomware-gang-gives-up-encryption/

Unit 42 - BianLian Ransomware Group Shifts to Pure Extortion

https://unit42.paloaltonetworks.com/bianlian-ransomware-group-extortion/

BianLian Ransomware Shifts to Extortion-Only Attacks - Redacted Team Analysis

https://www.redacted.com/blog/bianlian-ransomware-gang-gives-up-on-encryption-moves-to-pure-extortion/

BianLian Ransomware Analysis - Unit 42 Palo Alto Networks

https://unit42.paloaltonetworks.com/bianlian-ransomware-group-analysis/

BianLian Ransomware Shifts to Pure Extortion Model

https://www.redpacketsecurity.com/bianlian-ransomware-shifts-to-pure-extortion-model/

Avast releases decryptor for BianLian ransomware

https://blog.avast.com/avast-decryptor-bianlian-ransomware

BianLian Ransomware Gang Continues Evolution - Trend Micro

https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-bianlian-ransomware-variant.html

Unit 42 BianLian Ransomware Analysis

https://unit42.paloaltonetworks.com/bianlian-ransomware-analysis/

Redacted Team - BianLian Ransomware Analysis

https://www.redacted.com/blog/bianlian-ransomware-analysis/

Redacted Security - BianLian Ransomware Group Analysis

https://www.redacted.com/blog/bianlian-ransomware-group-analysis/

DFIR Report - BianLian Ransomware Encryptor Analysis

https://thedfirreport.com/2023/03/13/bianlian-ransomware-encryptor-analysis/

Avast Releases Free Decryptor for BianLian Ransomware

https://decoded.avast.io/threatresearch/decryptor-for-bianlian-ransomware/

Redacted BianLian Ransomware Analysis

https://redacted.com/blog/bianlian-ransomware-analysis/