Skip to content
Ransomware group

BianLian

BianLian is a ransomware and data-extortion malware family/operator first observed in attacks in June 2022, with the ransomware itself described as emerging in August 2022.

Profile source: Mallory opens in a new tab

BianLian

Family profile

BianLian is a ransomware and data-extortion malware family/operator first observed in attacks in June 2022, with the ransomware itself described as emerging in August 2022. It is associated with a Russia-linked cybercriminal group with multiple Russia-based affiliates and has targeted organizations in the United States and abroad, including multiple U.S. critical infrastructure sectors and Australian organizations. Reported victim sectors include healthcare, manufacturing, media and entertainment, professional services, property development, financial services, and mining/rare earths. Specific incidents referenced include compromises affecting Northern Minerals in Australia, Collins Aerospace, and Alpine Ear, Nose, and Throat.

Technically, BianLian ransomware is a Go-based 64-bit Windows executable. Avast reported that known variants encrypt file data with AES-256-CBC, scanning drives A: through Z: and encrypting files matching 1,013 hardcoded extensions. Known samples use a fixed hardcoded offset within files rather than encrypting from the beginning, append the .bianlian extension to encrypted files, drop a ransom note named "Look at this instruction.txt" in affected folders, and self-delete after execution via "cmd /c del <sample_exe_name>". Avast released a public decryptor for known BianLian variants in January 2023.

Operational reporting indicates BianLian historically conducted double extortion, combining data theft with file encryption, but shifted primarily to exfiltration-only extortion around January 2023 after the decryptor release, and by January 2024 was reported as exclusively using exfiltration-based extortion in some government reporting. Initial access methods directly mentioned include valid RDP credentials, phishing, and exploitation of public-facing applications; the FBI/CISA/ACSC advisory also notes possible use of the ProxyShell exploit chain against Windows and ESXi infrastructure. The group uses a custom victim-specific Go backdoor, remote management/access tools, account creation and password changes, Ngrok and modified Rsocks for proxying/SOCKS5 tunneling, PowerShell and Windows Command Shell to disable defenses, and registry changes to weaken Sophos protections. Reported discovery and credential-access activity includes use of Advanced Port Scanner, SoftPerfect Network Scanner, SharpShares, PingCastle, LSASS credential theft, attempts to access NTDS.dit, and in at least one case an Impacket secretsdump-derived tool. Lateral movement has been observed via PsExec, RDP, SMB, firewall-rule changes to permit RDP, and an artifact linked to possible exploitation of CVE-2020-1472; privilege escalation via CVE-2022-37969 has also been reported. Data exfiltration methods explicitly mentioned include FTP, Rclone, and Mega.

Known indicators and artifacts directly referenced in the content include the .bianlian file extension, the ransom note "Look at this instruction.txt," common executable paths/names such as C:\Windows\TEMP\mativ.exe, C:\Windows\Temp\Areg.exe, C:\Users\%username%\Pictures\windows.exe, and anabolic.exe, and the self-deletion command pattern noted above.

Ransomware.live

Operational record

View group record ↗

Credential Theft

  • RDP Recognizer

Discovery Enum

  • Advanced IP Scanner
  • Advanced Port Scanner
  • PingCastle
  • SharpShares
  • SoftPerfect NetScan
  • WKTools

Exfiltration

  • MEGA
  • RClone

LOLBAS

  • PsExec

Offsec

  • Impacket

RMM Tools

  • AmmyyAdmin
  • AnyDesk
  • Atera
  • ScreenConnect
  • Splashtop
  • TeamViewer

Ransomware.live

Published indicators

Full source record ↗

Md5

8 total
  • 36171704cde087f839b10c2465d864e1
  • d10e0387e3d55dc1f82c23719e2b168b
  • 0c756fc8f34e409650cd910b5e2a3f00
  • b3cdf0489ff37fe65141be9363b9489c
  • 08e76dd242e64bb31aec09db8464b28f
  • 14da9c0c4e3ac3b9abb2c48b37bece19
  • 15cdfa777aa2db35229410d2fa9fb92e
  • 7be61ea851f894d26bf57cf0f1f55ed6

Ip

191 total
  • 88.212.241.105:993
  • 91.245.255.27:8443
  • 162.33.179.99:1433
  • 151.236.16.144:64250
  • 172.96.137.108:80
  • 31.220.80.82:8081
  • 104.238.35.179:38901
  • 151.236.16.242:12818
  • 104.238.35.179:3389
  • 85.235.151.5:8080

Reported operators

Threat actors

1 named in public reporting
BianLian

...BianLian Ransomware Gang... leveraged command and scripting tools

Exploited software

Vulnerabilities linked to BianLian

4 CVEs

MITRE ATT&CK

BianLian in ATT&CK

21 distinct techniques

Reporting

Research mentioning BianLian

Apr 23
Recorded Future

Critical minerals and cyber operations

In 2024, Northern Minerals, an Australian rare earths producer, was compromised by the ransomware group BianLian. They published stolen data on the dark web shortly after Northern Minerals ordered Chinese-linked investors to divest their 10.4% stake.

Apr 8
Hipaa Journal

2025 Losses to Cybercrime Exceeded $20 Billion

The biggest ransomware threats in terms of complaint volume were Akira, Qilin, INC Ransom/Lynx/Sinobi, BianLian, and Play.

Mar 7
Breakglass Intel

From Honeypot Hit to Russian State MITM: How a Single PostgreSQL Scan Led Us to a 128,000-IP Surveillance Empire - Breakglass Intelligence - Breakglass Intelligence

It continues to provide transit for OFAC-sanctioned Aeza International (AS210644 -- BianLian ransomware, Lumma, RedLine, FSB-arrested co-founders).

Feb 3
Hipaa Journal

Patients Learn Their Health Data Was Compromised More Than a Year Ago

"The BianLian ransomware group claimed responsibility for the attack and added Alpine ENT to its data leak site in early December 2024."

Jan 14
Dark Reading

Retail, Services Industries Under Fire in Oceania

"A number of high-profile ransomware groups — Inc Ransomware, BianLian, and others — targeted services companies in 2025..."

Dec 8
Bleeping Computer

FinCEN says ransomware gangs extorted over $2.1B from 2022 to 2024

The other ransomware gangs included Black Basta, Royal, BianLian, Hive, Medusa, and Phobos. Collectively, the top 10 most active ransomware gangs accounted for $1.5 billion in ransom payments from 2022 through 2024.

Nov 13
Checkpoint Research

The State of Ransomware - Q3 2025 - Check Point Research

This fragmentation follows the closure or dormancy of several major RaaS brands during the year, including RansomHub, 8Base, BianLian, Cactus, and others.

Oct 13
Industrialcyber

Healthcare ransomware attacks surge 30% in 2025, as cybercriminals shift focus to vendors and service partners - Industrial Cyber

INC led with the highest number of confirmed attacks (15), followed by Qilin (14), Medusa (8), RansomHub (6), and BianLian (5).

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.