3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
BianLian Ransomware

BianLian Ransomware

ID: 39d34ed11faace68869f7f654a25d27926875
Crimeware Ransomware
Threat types: Ransomware, Intrusion, Exfiltration
Russia USA
Updated: 2026-03-19
Created: 2025-10-21
Progress: 69% Completeness: 68% Freshness: 70%
Operation zone: United States
Aliases Limited alias preview
BianLian BianLian Group Bi************* Bi***********************
Bi*********
Showing 2 of 5 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: high
Actor Techniques page ATT&CK® Diagram

BianLian — transitioned from ransomware to pure data-theft extortion in 2023; living-off-the-land and RDP-heavy operations.


Technique Technique name Tactics Evidence
T1078 Valid Accounts TA0001 TA0003 TA0004 TA0005
  • 2022–2025 — Use of valid accounts (RDP/VPN) reported across incidents. · ref
T1041 Exfiltration Over C2 Channel TA0010
  • 2022–2025 — Bulk exfiltration prior to extortion/leak-site publication. · ref
T1486 Data Encrypted for Impact TA0040
  • 2022 — Early operations included encryption payloads; later pivoted to exfiltration-only. · ref
Strategic Intelligence
Limited preview
Last updated: 2025-10-21T23:05:50+00:00
BianLian Ransomware Group — Data-Theft Extortion

CLASSIFICATION: Unclassified / Open Source


Executive Summary

BianLian emerged in 2022 with a Go-based ransomware but pivoted in 2023 to primarily data-theft-only extortion (encryption optional/rare). Operations rely on valid accounts/RDP, living-off-the-land tactics, thorough discovery, bulk exfiltration, and staged leak-site pressure. Confidence: high.

Closed, profit-motivated crew with Tor leak infrastructure; opportunistic and sector-agnostic targeting across regions.

Objective: monetize stolen data (pure extortion). Public shaming and staged disclosures increase pressure on victims.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/4
Address Verification SOCMINT
t.me/bia*********** Restricted Not integrated
t.me/Bia****************** Restricted Not integrated
Address Verification SOCMINT
bianlivemqbawcco4cx4a672k2fip3guyxudzurfqvdszafam3ofqgqd.onion Restricted Not integrated
bianlianlbc5an4kgnay3opdemgcryg2kpfcbgczopmm3dnbz3uaunad.onion Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.