bianlian

BianLian

also tracked as: Bitter Scorpius (Unit 42) CISA Advisory AA23-136A Makop toolset overlap (assessed)

A case study in adversarial adaptation: BianLian started as a double-extortion ransomware group in June 2022, but when Avast released a free decryptor for their Go-based encryptor in January 2023, the operators made a strategic decision to abandon encryption entirely and pivot to pure data exfiltration extortion. By January 2024, CISA confirmed BianLian had shifted exclusively to exfiltration-based extortion — stealing data, threatening publication, and applying live pressure through printer-delivered ransom notes and direct phone calls to individual employees. Within two years of launch, the group ranked among the top three most active ransomware groups globally and became the third most prolific threat to the healthcare sector in the first nine months of 2024.

attributed origin Russia (likely; multiple Russia-based affiliates)

suspected sponsor None — financially motivated organized crime

first observed June 2022

primary motivation Financial — Data Exfiltration / Extortion

primary targets Healthcare, Manufacturing, Legal, Critical Infrastructure

victims (2023–2024) 220+ (leak site, Apr 2023–Mar 2024)

cisa advisory AA23-136A (updated Nov 2024)

top target country United States (~60% of victims)

current model Exfiltration-only extortion (since Jan 2024)

Overview

BianLian takes its name from the traditional Chinese art of "face-changing" — Biàn Liǎn — a performance technique involving rapid, dramatic mask transformations. The name is deliberate: FBI and CISA noted in their November 2024 updated advisory that BianLian, like several other ransomware groups, chose a foreign-language name specifically to complicate attribution and mislead investigators about the group's origins. Despite the Chinese name, all available evidence points to Russian-speaking operators with Russia-based affiliates. The group's C2 infrastructure was traced to Russian IP space, and a custom .NET tool shared with the Makop ransomware group — which contains Russian-language strings including Russian numerals — provides additional corroborating evidence of Russian developer involvement.

BianLian emerged in June 2022, first targeting organizations in the United States and Australia with a double-extortion model: exfiltrate sensitive data, encrypt victim systems, then demand payment under threat of both operational disruption and data publication. The group's initial encryptor was written in Go — a language increasingly favored by ransomware developers for its cross-platform compilation, fast execution, and difficulty of analysis. The encryptor implemented AES encryption, appended .bianlian extensions to encrypted files, and deleted itself after execution to limit forensic evidence. Early versions had flawed encryption implementation that left files recoverable under certain conditions, and the encryptor relied on C2 connectivity for encryption keys, meaning network blocking could prevent the encryption process.

In January 2023, Avast published a free BianLian decryptor built from analysis of the encryptor's implementation flaws. This was not a minor setback — it fundamentally invalidated BianLian's encryption-based leverage over victims. Organizations that had paid ransoms could now potentially recover files without payment. Faced with the decryptor's public availability, BianLian operators made a calculated decision: abandon encryption and shift operational focus entirely to the data theft side of double extortion. From early 2023, the group focused on exfiltrating sensitive financial, medical, client, and business records before leaving victim systems intact — generating ransom leverage through the threat of data publication alone rather than through operational disruption.

By January 2024, CISA confirmed BianLian had completed the transition to exclusively exfiltration-based extortion. This pivot has proven more resilient than encryption-based models in several respects: it generates no file-modification signals that endpoint tools use to detect ransomware; it is harder to remediate because exfiltrated data cannot be recovered even with backups; and it maintains leverage indefinitely, as stolen data can always be published later. BianLian has remained consistently active since the pivot, disclosing over 90 new victims on their leak site in 2024, and ranking as the ninth most active ransomware group globally for 2024 while maintaining a specific concentration in healthcare — accounting for 9% of all healthcare ransomware victims in the first nine months of 2024.

Target Profile

BianLian targets organizations that hold high-value sensitive data — the sensitivity of data determines extortion leverage in a pure exfiltration model more directly than in encryption-based models, where operational disruption creates independent pressure regardless of data type.

Healthcare: Consistently BianLian's highest-impact target sector. Medical organizations hold protected health information (PHI) — patient records, diagnoses, treatment histories — that carry both regulatory and reputational consequences if published. BianLian was the third most active ransomware group targeting healthcare in the first nine months of 2024, behind only LockBit and RansomHub. Confirmed healthcare victims include Boston Children's Health Physicians (2024), Integris Health, Lindsay Municipal Hospital, and multiple hospital systems.
Manufacturing: A consistently targeted sector across BianLian's operational history. Industrial and manufacturing organizations are targeted for proprietary technical data, process documentation, and supply chain information that carries competitive sensitivity. The sector also represents a significant portion of the group's leak site disclosures.
Professional and Legal Services: Law firms, accounting practices, and professional services organizations are high-value targets because they hold privileged client information — legal strategy, financial records, and confidential communications — whose publication carries severe client relationship and regulatory consequences.
Critical Infrastructure: FBI and CISA confirmed BianLian has targeted multiple US critical infrastructure sectors since June 2022, including one Australian critical infrastructure organization documented by ASD's ACSC. The group has also targeted energy sector organizations alongside its primary focus on healthcare and manufacturing.
Geographic Concentration: Approximately 60% of BianLian's victim organizations are based in the United States. The United Kingdom (10%) and Canada (7%) are the next most targeted countries. The group has also been active against targets in Australia, Europe, India, and Southeast Asia, reflecting the operator's expansion over time.

Tactics, Techniques & Procedures

Documented TTPs drawn from FBI/CISA advisory AA23-136A (updated November 2024), Unit 42 threat assessment, Juniper research, and incident response findings from GuidePoint and eSentire. TTPs reflect both the encryption-era (2022–2023) and the current exfiltration-only model (2024–present).

mitre id	technique	description
T1078 / T1133	Valid Accounts / External Remote Services	RDP using compromised credentials is BianLian's primary initial access method, confirmed across multiple FBI investigations. Credentials are sourced from initial access brokers, phishing, or credential stuffing. The group also exploited ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) for initial access in early campaigns, and unpatched SonicWall VPN devices. A March 2024 GuidePoint investigation documented exploitation of JetBrains TeamCity vulnerabilities (CVE-2024-27198 and CVE-2023-42793) as the initial access vector.
T1059.001	PowerShell Execution	PowerShell is used extensively throughout BianLian intrusions — for network discovery, credential harvesting, disabling security tools, and deploying payloads. A PowerShell implementation of the Go backdoor was documented by GuidePoint after the TeamCity exploitation incident, representing a significant evolution in delivery method. Scripts list running processes, installed software, and local drives as part of initial reconnaissance.
T1562.001	Impair Defenses: Disable or Modify Tools	BianLian uses PowerShell and Windows Command Shell commands to disable Windows Defender and AMSI. The group modifies the Windows Registry to disable tamper protection for Sophos (SAVEnabled, SEDEnabled, SAVService services), enabling uninstallation of those products. Executables are packed with UPX to bypass heuristic and signature-based detection. Binaries and scheduled tasks are renamed after legitimate Windows services or security products to evade process-based monitoring.
T1021.001	RDP Lateral Movement	BianLian uses RDP with valid accounts for lateral movement across victim networks after establishing initial access. PsExec is used alongside RDP for remote command execution. SessionGopher is used to extract saved session information for remote access tools (RATs), enabling access to additional systems where credentials have been cached by remote management software.
T1003.002	Credential Dumping	A portable executable version of Impacket's secretsdump.py was observed being used to move laterally to domain controllers and harvest NTLM credential hashes. SessionGopher extracts session credentials from RDP, SSH, and VNC applications. Harvested credentials are used for lateral movement without requiring additional exploitation once the initial foothold is established.
T1048	Exfiltration Over Alternative Protocol	Data exfiltration uses FTP, Rclone, and Mega — cloud storage services that blend with legitimate business traffic. Rclone's configuration files are created and used to sync stolen data directly to attacker-controlled cloud endpoints. FTP exfiltration uses custom servers. The custom exfiltration tool shared with Makop ransomware is a .NET executable handling file enumeration, registry, and clipboard data collection before transfer.
T1572	Protocol Tunneling / C2 Infrastructure	BianLian uses the reverse proxy tool Ngrok and a modified version of the open-source Rsocks utility to establish SOCKS5 network tunnels from victim environments, masking C2 traffic destinations. C2 servers primarily use ports 443 and 8443 for HTTPS traffic to blend with legitimate web communications. The group rapidly deploys new C2 infrastructure when needed — deploying over 15 new servers within 24 hours in one documented mid-January 2024 escalation.
T1486	Extortion Pressure Tactics	Beyond the data publication threat, BianLian employs direct victim contact to escalate pressure: ransom notes are printed to networked printers on compromised networks to ensure executive awareness; individual employees receive threatening phone calls from persons associated with BianLian group, documented in the November 2024 CISA advisory. Ransom notes include warnings of financial, business, and legal consequences, including regulatory filings and notification requirements triggered by data publication.
T1036.004	Masquerading — Renaming	BianLian actors rename malicious binaries and scheduled tasks after legitimate Windows services or security product names to evade process-based detection and blunt analyst triage. This is paired with UPX packing of executables to further reduce detection rates from static analysis and signature-based tools.
T1068	Privilege Escalation	BianLian exploits CVE-2022-37969, a Windows 10 and 11 Common Log File System Driver privilege escalation vulnerability, to elevate privileges on victim systems. This is used alongside creation and activation of local administrator accounts with modified passwords to establish persistent elevated access for subsequent operations.

Known Campaigns

Notable confirmed or highly attributed intrusions across BianLian's operational history.

Double-Extortion Launch Phase — US Critical Infrastructure Jun 2022–Jan 2023

BianLian's initial operational phase used a double-extortion model against US critical infrastructure, healthcare, and manufacturing organizations. Initial access was primarily via compromised RDP credentials and ProxyShell vulnerability exploitation. The group deployed a custom Go-based encryptor that appended .bianlian extensions and a persistent Go-based backdoor for maintaining access. Early operational security mistakes were documented — including mistakenly sending data from one victim to another — indicating a group skilled in network penetration but developing its extortion operations. Victims were targeted across healthcare, manufacturing, energy, and financial services in the United States and Australia. FBI investigations from this period provided the IOC basis for the May 2023 CISA advisory.

Avast Decryptor Response — Pivot to Exfiltration-Only Jan 2023–Jan 2024

The January 2023 Avast decryptor release forced BianLian's strategic pivot. The group progressively reduced encryption activity, focusing resources on the exfiltration and data-theft side of operations while the Go backdoor remained the primary operational tool. Victim postings on the leak site peaked in May 2023 before temporarily declining as defenses improved. New pressure tactics emerged during this period: printer-delivered ransom notes and direct phone calls to employees were added alongside the standard data publication threat. By January 2024, encryption was entirely abandoned. The BianLian leak site saw a 30% increase in postings in Q4 2023 versus Q3 2023, reflecting the operational acceleration of the new pure-extortion model.

TeamCity Exploitation Campaign Early 2024

GuidePoint Security and GRIT documented a BianLian intrusion in early 2024 in which the group exploited JetBrains TeamCity vulnerabilities (CVE-2024-27198 and CVE-2023-42793) for initial access, gaining entry to a victim's build server environment. This represented a significant TTP evolution — from BianLian's traditional reliance on RDP credential abuse to active exploitation of CI/CD infrastructure vulnerabilities. Once inside, the group deployed a PowerShell implementation of the Go backdoor (web.ps1), used Windows commands for network reconnaissance, compromised two build servers, and deployed Impacket tools for credential harvesting before moving toward data exfiltration. The campaign confirmed BianLian's willingness to adopt exploitation of newly disclosed vulnerabilities as an alternative initial access vector when suitable targets are identified.

Boston Children's Health Physicians Sep 2024

BianLian claimed responsibility for an attack on Boston Children's Health Physicians (BCHP), a pediatric healthcare network operating across New York and Connecticut. The attack compromised sensitive pediatric patient data — a particularly high-impact target given the sensitivity of minor health information and the regulatory protections around children's data. The incident was among the more publicly scrutinized BianLian attacks of 2024, occurring as FBI and CISA were preparing the November 2024 updated advisory warning of the group's continued evolution and its disproportionate healthcare sector impact.

Joint Campaign with White Rabbit and Mario Ransomware Dec 2023

Resecurity documented a joint extortion campaign in December 2023 involving BianLian alongside the White Rabbit and Mario ransomware groups — a "Cyber-Extortion Trinity" coordinating attacks against shared targets. The collaboration highlights BianLian's position within a broader cybercriminal ecosystem where groups share resources, tools, and operational partnerships. This documented cooperation, alongside the Makop .NET tool overlap, establishes BianLian as an actor with established dark-web relationships rather than a fully isolated operation.

Tools & Malware

BianLian's core toolset reflects a group that developed sophisticated custom capabilities while also leveraging widely available legitimate utilities for operational coverage. The go-based backdoor is the group's defining technical artifact.

Go Backdoor (BianLian custom backdoor): The group's primary post-compromise tool, written in Go and used as both a loader and persistent access mechanism. Core functionality downloads and executes additional payloads from hardcoded C2 addresses. Modules include "mimux" and "soso." The backdoor evolved between 2023 and 2024 — newer versions switched from log.Print to a Logger function for more structured logging. A Linux variant was identified in 2024, extending the tool's platform coverage. The backdoor uses C2 on ports 443, 8443, 80, 8080, and 8000, with 46% of C2 traffic on non-standard ports to diversify detection evasion. The VirusTotal family identifier for hunting is "topcorner."
Go Encryptor (deprecated — pre-January 2024): A Go-based AES encryptor deployed during the group's double-extortion phase. Appended .bianlian extensions to encrypted files. Only encrypted the middle portion of files (not beginning or end) for speed. Deleted itself after encryption. Required C2 connectivity for encryption key management — a design flaw that enabled both network-based blocking and Avast's January 2023 decryptor. No longer deployed since January 2024.
Shared .NET Exfiltration Tool (Makop overlap): A small custom .NET executable shared between BianLian and the Makop ransomware group, performing file enumeration, registry access, and clipboard data collection. Contains Russian-language strings (numerals 1–4). The shared use of this tool alongside the same hash of the Advanced Port Scanner utility is the technical basis for the assessed developer-level connection between the two groups.
Impacket (secretsdump.py): A portable executable version of Impacket's secretsdump is used to harvest NTLM credential hashes from domain controllers, enabling lateral movement and privilege escalation using harvested Windows authentication material without requiring interactive access to each target system.
SessionGopher: A PowerShell tool that extracts saved credentials from remote access applications including RDP, WinSCP, PuTTY, and FileZilla. Used to harvest credentials from remote access software already installed in the victim environment, enabling access to additional connected systems without requiring further exploitation.
Ngrok / Rsocks: Ngrok provides encrypted reverse proxy tunneling for C2 communications. A modified version of the open-source Rsocks proxy utility establishes SOCKS5 tunnels from victim networks to attacker infrastructure, masking C2 traffic destinations and complicating network-layer attribution of command and control activity.
Rclone / Mega / FTP: Cloud synchronization and file transfer tools used for data exfiltration. Rclone syncs victim data to attacker-controlled cloud endpoints using configured profiles. Mega provides anonymous cloud storage. FTP exfiltration uses attacker-operated servers. All three methods blend with legitimate cloud activity in enterprise network traffic.
Remote Management Tools (RMM abuse): TeamViewer, Atera Agent, Splashtop, AnyDesk, and PDQ Deploy have all been documented in BianLian intrusions as legitimate tools abused for persistent remote access. The group installs these tools post-compromise to maintain connectivity alongside the custom Go backdoor, providing redundant access channels that survive partial remediation.
Advanced Port Scanner / Network Discovery: The same hash of the publicly available Advanced Port Scanner tool used by BianLian was also documented in Makop ransomware campaigns. Used for network reconnaissance to identify active hosts, open ports, and running services as part of lateral movement preparation.

Indicators of Compromise

Key technical indicators from FBI/CISA advisory AA23-136A (updated November 2024) and supporting research. The full FBI IOC table from investigations through March 2023 is in the CISA advisory; additional 2024 IOCs from TeamCity exploitation campaigns were published by GuidePoint.

warning

BianLian's shift to exfiltration-only means their attacks leave no ransomware payload artifacts. File modification events, encrypted file extensions, and ransom notes on desks will not appear — the attack completes with data theft and no system disruption. Traditional endpoint detection signatures for ransomware behavior are largely irrelevant for detecting active BianLian intrusions. Prioritize network exfiltration detection and credential anomaly monitoring over file-system-based ransomware detection.

indicators of compromise — technical identifiers

c2 ip (russia) 94.198.50[.]195 — Russia-registered, attributed to BianLian C2 operations

hash sha256 (go backdoor) 3b309c076c26f27f42dbab8c89f05df51c414e87529251dc2d9946e7bc694f29

hash sha256 (go backdoor) 72d91293ff1a91587af3997081f65eac819d2ff73655837dc68a447d371ca2f1

hash sha256 (go backdoor) f9421165e4a62c7a1941b7b3fa73ac6f2149e7ffab3a6a622406baabf1933a2e

hash sha256 (go backdoor) 834ab96263cca7b01b3ae6549a9811b56204e714402215ce37fb602732b981d1

vt family (backdoor) topcorner — VirusTotal family string for Go backdoor hunting

file extension (encrypted) .bianlian — appended during encryption-phase operations (pre-Jan 2024; no longer deployed)

backdoor modules mimux; soso — Go backdoor internal module names

powershell backdoor web.ps1 — PowerShell implementation of Go backdoor functionality (GuidePoint, 2024)

exploited cves CVE-2021-34473/34523/31207 (ProxyShell); CVE-2022-37969 (Windows CLFS privilege esc.); CVE-2024-27198 / CVE-2023-42793 (TeamCity)

shared tool (makop) Custom .NET file enumeration/registry/clipboard tool — shared hash with Makop ransomware group; contains Russian numeral strings

contact method Tox messenger ID; onionmail extension addresses (in ransom notes)

cisa advisory AA23-136A (updated Nov 20, 2024) — full IOC tables from FBI investigations through June 2024

Mitigation & Defense

Recommended defensive controls for organizations in BianLian's target profile, informed by FBI/CISA advisory AA23-136A and documented incident response findings. Priority controls address the exfiltration-only model now in use.

Restrict and Harden RDP — Critical Priority: BianLian's primary initial access vector is RDP with compromised credentials. Disable RDP on all systems where it is not operationally required. Where RDP is necessary, require VPN access before RDP connectivity is permitted. Enforce MFA on all RDP sessions. Implement account lockout policies and alert on RDP login failures and unusual source IPs. The CISA advisory specifically lists strict limitation of RDP as the top recommended mitigation.
Detect Exfiltration Without Ransomware Indicators: BianLian no longer deploys encryption — traditional ransomware detection based on file modification patterns will not alert on an active BianLian intrusion. Deploy DLP controls and network monitoring specifically tuned for bulk data exfiltration to cloud services (Rclone, Mega) and FTP. Alert on large outbound data transfers, particularly to cloud storage endpoints, at unusual hours or from non-standard source systems.
Monitor for Go Backdoor Behavior: Hunt for the "topcorner" family in VirusTotal and deploy behavioral signatures for the Go backdoor's C2 patterns — particularly sustained outbound connections on ports 443 and 8443 from non-browser processes. The backdoor checks in with a hardcoded C2 address on a regular interval; DNS and network monitoring should flag unexpected outbound connections from server systems to uncategorized external IPs.
Rclone and Cloud Sync Tool Controls: Rclone is a significant exfiltration vector. Monitor for Rclone process execution, Rclone configuration file creation (rclone.conf), and rclone sync or copy commands on any system in the environment. Application control policies should prevent unauthorized installation of Rclone and similar cloud sync utilities on production systems.
Patch Privilege Escalation Vulnerabilities: BianLian exploits CVE-2022-37969 (Windows CLFS driver privilege escalation) and has adopted new vulnerabilities such as TeamCity CVEs. Apply Microsoft and JetBrains patches promptly, particularly for vulnerabilities enabling local privilege escalation or unauthenticated remote code execution on CI/CD infrastructure.
Restrict PowerShell and Script Execution: BianLian uses PowerShell for AV disablement, credential harvesting, and backdoor delivery (web.ps1). Implement PowerShell Constrained Language Mode for non-administrative users. Enable PowerShell script block logging and module logging to capture executed commands. Alert on PowerShell commands targeting Windows Defender settings, AMSI, or Sophos services.
Protect Networked Printers from Ransomware Note Delivery: BianLian now prints ransom notes directly to compromised networked printers. Segment printer access so that production and administrative systems do not have unrestricted access to printing infrastructure. This limits the group's ability to use printer-delivered notes as a pressure escalation mechanism beyond data publication threats.
EDR Tamper Protection on All Endpoints: BianLian modifies the Windows Registry to disable tamper protection for Sophos services, and uses batch scripts to disable Windows Defender and AMSI. Ensure endpoint protection platforms have tamper protection enabled — Sophos tamper protection specifically blocked BianLian's disablement attempt in documented cases. Enforce tamper protection policies through your MDM or endpoint management platform so local registry modifications cannot succeed.
Credential Hygiene and MFA Across All Remote Access: SessionGopher and secretsdump.py are used to harvest credentials from remote access tools and domain controllers. Audit and remove saved passwords from RDP, WinSCP, PuTTY, and similar tools where not operationally necessary. Enforce MFA for all remote access mechanisms. Implement privileged access workstations (PAWs) for domain administrator operations to prevent credential exposure through endpoint compromise.

analyst note

BianLian's evolution from double-extortion ransomware to exfiltration-only extortion in response to Avast's decryptor is one of the more instructive examples of adversarial adaptation in the ransomware ecosystem. The group's willingness to abandon its core operational model rather than attempt to fix the encryptor demonstrates a sophisticated cost-benefit calculus: the exfiltration side of the business generates comparable leverage with lower technical risk, no decryptor vulnerability, and no file-modification indicators that trigger endpoint detection. In early 2025, Blackpoint Cyber documented BianLian affiliates using EDRKillShifter — the same EDR disablement tool previously reported in RansomHub attacks — indicating that at least one affiliate (tracked as QuadSwitcher) operates across BianLian, RansomHub, Medusa, and Play simultaneously. This affiliate sharing is significant because it means BianLian's TTPs can appear in incidents nominally attributed to other groups. The November 2024 CISA advisory also documented scam letters in March 2025 falsely claiming to be from BianLian as a ransomware extortion tactic — the FBI assessed these as fraudulent, confirming that BianLian's reputation now creates a secondary impersonation threat where criminal actors leverage the group's name without any actual compromise.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile