BianLian

BianLian is a Russia-linked ransomware and data-extortion malware/group first observed in attacks in June 2022, with the ransomware itself reported as emerging in August 2022. It has targeted organizations in the U.S. and abroad, including multiple U.S. critical infrastructure sectors, and has also affected Australian organizations. Reported victim sectors include media and entertainment, manufacturing, healthcare, professional services, property development, financial services, mining, and other private enterprises. Public reporting also links BianLian to incidents involving Northern Minerals in Australia, Alpine Ear, Nose, and Throat, and alleged attacks against Collins Aerospace.

BianLian initially operated as a double-extortion ransomware, combining data theft with file encryption, but shifted after Avast released a public decryptor in January 2023. Multiple sources state the group then moved to intensified extortion-only operations without system encryption, and by around January 2024 was operating exclusively as an exfiltration-only extortion actor. The group steals victim data and threatens to leak it if payment is not made.

The ransomware component is described as a Go-based 64-bit Windows executable. Avast analysis states it encrypts data using AES-256-CBC, searches drives A: through Z:, and encrypts files matching 1,013 hardcoded extensions. It uses a fixed hardcoded offset within files rather than encrypting from the beginning, appends the .bianlian extension to encrypted files, drops a ransom note named "Look at this instruction.txt" in affected folders, and self-deletes via "cmd /c del <sample_exe_name>" after execution. Avast noted common observed executable paths/names including C:\Windows\TEMP\mativ.exe, C:\Windows\Temp\Areg.exe, C:\Users%username%\Pictures\windows.exe, and anabolic.exe, and that samples are typically around 2 MB.

According to the FBI, CISA, and ASD’s ACSC, BianLian commonly gains initial access via valid RDP credentials, phishing, and exploitation of public-facing applications, including possible use of the ProxyShell exploit chain (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) against Windows and ESXi environments. The group deploys a custom victim-specific Go backdoor, uses remote management/access tools for persistence and command and control, creates or activates local administrator accounts, changes passwords, and may use Ngrok or a modified Rsocks utility for proxying and SOCKS5 tunnels. Reported post-compromise behavior includes use of PowerShell and cmd to disable defenses such as Windows Defender and AMSI, registry changes to disable Sophos tamper protection, packing executables with UPX, masquerading binaries and scheduled tasks, network and Active Directory discovery with tools such as Advanced Port Scanner, SoftPerfect Network Scanner, SharpShares, and PingCastle, credential theft from LSASS, attempts to access NTDS.dit, use of secretsdump.py in portable executable form, lateral movement via PsExec and RDP, firewall modification to allow inbound RDP, SMB lateral movement, creation of domain admin and Azure AD accounts, and installation of Exchange webshells. The advisory also notes exploitation of CVE-2022-37969 for privilege escalation and an artifact named exp.exe likely exploiting Netlogon CVE-2020-1472.

For exfiltration and extortion, BianLian has been reported using FTP, Rclone, and Mega. The group has also been associated in reporting with use of legitimate but vulnerable drivers on Windows to terminate EDR products. Infrastructure reporting linked Aeza Group bulletproof hosting to BianLian activity, and OFAC-sanctioned Aeza infrastructure has been described as enabling ransomware including BianLian.

BianLian remains a prominent ransomware/extortion threat in public reporting and complaint statistics, including being listed among major ransomware threats by the FBI and among common variants in 2024-2025 reporting. High-confidence indicators directly mentioned in the source material include the .bianlian file extension, the ransom note filename "Look at this instruction.txt," and the executable names/paths observed by Avast telemetry.