Overview
BianLian is a data extortion group that began operations in mid-2022 as a conventional double-extortion ransomware operator — encrypting victim systems and threatening to publish stolen data if the ransom was not paid. That model changed in early 2023 when Avast published a free decryptor for BianLian’s Go-based encryptor, neutralising the encryption leverage and forcing a tactical pivot.
Since then, BianLian has operated exclusively as a data theft extortion group. They do not encrypt files. They access victim networks, exfiltrate data, and then threaten to publish it on their Tor-hosted leak site. This approach has several advantages for the group: it requires less infrastructure, creates no immediate operational disruption (which can delay victim discovery), and sidesteps the technical competition of keeping ransomware undetected by EDR solutions.
The FBI, CISA, and Australian Cyber Security Centre published a joint advisory on BianLian in May 2023, updated in November 2023 and again in May 2025, reflecting the group’s persistence and continued activity.
Technical Profile
Initial Access
BianLian’s documented initial access methods include:
- Compromised RDP credentials — purchasing or brute-forcing valid credentials to expose internet-facing Remote Desktop Protocol services
- ProxyShell exploitation — targeting unpatched Microsoft Exchange servers (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207)
- Valid VPN credentials — likely obtained through credential markets or phishing
The RDP-heavy access profile is consistent with the healthcare sector’s relatively high exposure: hospitals and healthcare networks commonly expose RDP for remote clinician access, often without multi-factor authentication.
Post-Compromise Tooling
Once inside, BianLian follows a largely living-off-the-land pattern:
- Cobalt Strike and custom Go backdoors for persistence and C2
- PowerShell and Windows command-line tools for enumeration and lateral movement
- SoftPerfect Network Scanner and Advanced Port Scanner for internal reconnaissance
- PsExec and SMB for lateral movement to additional hosts
- MEGASync and MEGA cloud storage for data exfiltration — leveraging legitimate file sync software to move data to attacker-controlled cloud accounts
- Rclone as an alternative exfiltration mechanism
- Ngrok to tunnel C2 traffic through legitimate infrastructure
Their use of Go for custom tooling aligns with a broader trend among ransomware groups: Go binaries compile to statically linked executables, are cross-platform, and are harder to reverse-engineer than compiled C++ or interpreted Python.
Defence Evasion
BianLian uses several documented techniques to maintain persistence while avoiding detection:
- Modifying or disabling Windows Defender via PowerShell
- Leveraging legitimate remote access tools (AnyDesk, TeamViewer) alongside their Go backdoor to establish redundant access
- Timestomping and clearing Windows event logs post-exfiltration
Victim Profile
BianLian’s post-pivot targeting has concentrated in sectors where data sensitivity is high and public disclosure is embarrassing or legally consequential:
Healthcare remains their most-targeted sector by published victim count. Medical records, billing data, insurance claims, and patient PII are all valuable exfiltration targets. Healthcare organisations are also historically under-resourced on security and often cannot afford the reputational cost of a public data leak, creating leverage.
Professional services — law firms, accounting firms, engineering consultancies — hold sensitive client data across multiple organisations simultaneously, multiplying the potential disclosure impact.
Finance and legal sectors follow. Financial services organisations are particularly sensitive to regulators and clients seeing evidence of a breach, which increases the likelihood of payment.
The group has claimed victims in the US, UK, Canada, Australia, and across Europe. US victims represent the majority of published cases.
The Leak Site Model
BianLian operates a Tor-hosted leak site that follows a staged disclosure approach:
- Victim is listed with a description of the organisation and a description of what data was stolen
- A countdown timer runs, typically 10-14 days
- If payment is not made by the deadline, data is published (partially or fully)
Unlike some groups, BianLian has been relatively consistent about following through on publication threats. This matters because it establishes credibility — victims know that non-payment results in actual exposure, not just the threat of it.
The group also cross-publishes victim notifications to cybercrime forums, increasing visibility and embarrassment pressure on the victim organisation.
FBI/CISA Advisory Summary
The joint advisory (AA23-136A, updated 2025) documents the following indicators and mitigations:
Key TTPs documented:
- T1078 — Valid Accounts (initial access via compromised RDP/VPN credentials)
- T1059.001 — PowerShell (execution)
- T1486 — Data Encrypted for Impact (historical; no longer primary TTP)
- T1041 — Exfiltration Over C2 Channel
- T1537 — Transfer Data to Cloud Account (MEGASync/Rclone)
Recommended mitigations from the advisory:
- Disable RDP if not required; restrict to specific IP ranges if required
- Require MFA on all VPN and remote access
- Audit and disable unused remote access tools
- Segment networks to limit lateral movement
- Monitor for unusual MEGASync or Rclone installations/executions
- Log and alert on PowerShell execution from unexpected parent processes
Current Activity (2026)
BianLian remains active through mid-2026. Healthcare sector victims have continued appearing on their leak site at a rate of roughly 3-5 per month. The group has not published new tooling or dramatically changed TTPs since the 2023 pivot, suggesting a stable operational capability rather than rapid evolution.
The group’s persistence despite multiple public advisories illustrates a recurring dynamic in ransomware economics: when the model works and prosecution risk is low (the group is assessed to be operating from Russia or a CIS jurisdiction), groups can continue operating for years with minimal adaptation.
Detection Opportunities
Network indicators:
- Outbound connections to MEGASync infrastructure (mega.nz, mega.co.nz)
- Rclone process spawns, especially with non-interactive arguments suggesting automated transfer
- Ngrok processes or connections to ngrok’s HTTPS endpoints
- RDP lateral movement events (Event ID 4624, Logon Type 10 or 3) from unexpected internal hosts
Host indicators:
- Windows Defender modifications via PowerShell (Set-MpPreference -DisableRealtimeMonitoring)
- SoftPerfect Network Scanner execution
- Go-compiled binaries in non-standard paths (AppData, Temp)
- AnyDesk or TeamViewer installations not managed by IT
Behavioural:
- Large internal file access volumes from a service account or shared workstation in off-hours
- DNS queries to MEGA or cloud file-sharing domains from server-tier machines
- Event log clearing (Event ID 1102 Security log cleared, Event ID 104 System log cleared)
Given BianLian’s preference for quiet exfiltration over noisy encryption, detection must come from data movement monitoring rather than from observing encryption activity that never happens.