BianLian

BianLian is a ransomware and data-extortion threat actor first observed in June 2022. Reporting in the provided content states that it has targeted critical infrastructure organizations and private entities in the United States and abroad, including victims in sectors such as healthcare, legal, manufacturing, mining, and aerospace. The group has been associated with both ransomware and data theft for extortion, and multiple sources in the content describe it as having shifted by early 2023 to a primarily extortion-only model with no system encryption after Avast released a decryptor in January 2023. Other reporting in the content also describes a phishing campaign attributed to BianLian that used malicious SVG attachments, shortened links, compromised Brazilian domains, and a Go-based Windows payload with anti-analysis checks and AES file encryption. The content links BianLian to exploitation of TeamCity server vulnerabilities for initial access and use of a BianLian Go backdoor implemented via PowerShell. It also states that threat groups such as BianLian frequently exploit RDP access. Tooling and intrusion overlaps in the content connect BianLian with other ransomware operations including RansomHub, Play, Medusa, ALPHV, Knight, and 8Base. ESET reported clear links between RansomHub, Play, Medusa, and BianLian through shared affiliate tooling, including use of the EDRKillShifter EDR killer, and described an affiliate cluster called QuadSwitcher that conducted intrusions later associated with BianLian leak-site postings. Separate reporting cited shared malware hashes and multi-brand extortion workflow references across onion infrastructure associated with ALPHV, BianLian, Knight, Play, and 8Base. Victim examples directly mentioned in the content include Northern Minerals, which was listed on BianLian’s extortion site and had purportedly stolen data published; MedRevenu, which BianLian claimed on its leak site in December 2024; Dordt University, where BianLian reportedly claimed theft of 3 TB; Mosley Click O’Brien, which reported a February 2026 breach claimed by BianLian; and an unconfirmed 2023 claim by BianLian that it breached Collins Aerospace and stole about 20 GB of data. The content also notes FBI and FINRA warnings about mailed extortion letters falsely claiming to be from the “BianLian Group”; those letters were assessed as scams not connected to the actual BianLian ransomware and data extortion group. Some reporting in the provided content refers to BianLian as a Russian ransomware group, but this attribution is presented only as reporting language in those sources rather than as a confirmed government attribution in the supplied material. No sub-groups are directly identified in the content.