BianLian

Malware

⚠️ Overview

BianLian is a Go‑based ransomware‑as‑a‑crime group first observed in July 2022 by Cybereason and the Australian Cyber Security Centre (ACSC), operating as a closed‑source private ransomware variant rather than a public affiliate program. The group originally deployed a file‑encrypting binary, but by early 2023 it shifted nearly exclusively to data‑theft extortion (without encryption) after security improvements in Windows Defender and other EDR products made encryption less effective. The threat actors maintain a Tor‑based leak site to publish stolen data from non‑paying victims, and they have been tracked by CISA, the FBI, and the ACSC.

🔧 Technical Capabilities

BianLian gains initial access primarily through compromised Remote Desktop Protocol (RDP) credentials, often purchased from initial‑access brokers or obtained via brute‑force attacks. After entry, the group deploys Cobalt Strike beacons and custom PowerShell scripts for lateral movement using PsExec and WMI. The ransomware binary itself is written in Go and uses the Rijndael‑256 encryption algorithm with a hard‑coded RSA‑4096 public key; it targets file extensions such as .docx, .xlsx, .pdf, and database formats. The group also employs living‑off‑the‑land techniques, including native Windows tools (BITSAdmin, WMIC, schtasks) for persistence and privilege escalation. For evasion, they disable Windows Defender via registry modifications and use process hollowing to inject payloads into legitimate processes. C2 communication is conducted over HTTPS using custom encrypted payloads, and the group often uses legitimate public cloud services (e.g., Dropbox, Google Drive) to exfiltrate data before triggering encryption.

📜 History & Notable Incidents

BianLian first gained widespread attention in August 2022 after hitting a U.S. hospital chain, forcing the facility to manually revert backups. In March 2023, the ACSC and CISA released a joint advisory (#StopRansomware: BianLian) detailing tactics, techniques, and procedures (TTPs), citing MITRE ATT&CK techniques T1078 (Valid Accounts), T1059 (Command and Scripting Interpreter), and T1574 (Hijack Execution Flow). No public CVEs are exclusively attributed to BianLian; instead, they exploit unpatched vulnerabilities in remote access software, including CVE‑2023‑23397 (Microsoft Outlook privilege escalation) in some campaigns. There have been no law‑enforcement takedowns or arrests as of early 2025, but the group’s activity subsided after Microsoft’s January 2023 patch for a key RDP vulnerability.

🔍 Detection Indicators

Known file hashes are dynamic; however, network indicators include outbound HTTPS connections to IP addresses in Eastern Europe (e.g., 45.138.16.0/24) and User‑Agent strings such as “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36” used during Cobalt Strike deployment. Registry persistence keys observed include HKCUSoftwareMicrosoftWindowsCurrentVersionRunBianLian. Behavioral signatures: sudden mass enumeration of network shares via net.exe, rapid creation of scheduled tasks named “BianLianTask”, and files renamed with a “.bianlian” extension (only in older encrypting campaigns).

☠️ Risk & Impact

BianLian primarily targets critical infrastructure sectors including healthcare, education, government, and manufacturing in the U.S., Australia, and Europe. The shift to pure extortion (without encryption) has reduced technical cleanup costs but leaves victims vulnerable to public data leaks, reputational damage, and regulatory fines. In one 2023 incident, an Australian shipping firm suffered an estimated $4 million in downtime and ransom‑negotiation costs after the group published 300 GB of sensitive customer data.

🛡️ Mitigation

Defenders should patch RDP‑related vulnerabilities promptly, enforce multi‑factor authentication (MFA) on all remote access, and implement network segmentation to limit lateral movement. CISA recommends using the YARA rules and the free detection signatures published in their joint advisory (March 2023). Additionally, enable Microsoft 365 auditing and deploy endpoint detection rules for anomalous PowerShell and WMI activity.

Free Threat Visibility

Get Visibility Into Automated Threats Reaching Your Server

Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.

🔍 Scan My Site Free

Powered by JA4 fingerprinting, honeypot traps & behavioral analysis

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.