Security & Compliance Automation Platform
UnderDefense MAXI is the solution to day-to-day cybersecurity problems of IT leaders and teams. It builds your 24/7 business protection together with you on the driver’s seat.
UnderDefense MAXI Platform
UnderDefense Secures Top Honor at the 2025 Global Infosec Awards
We’re proud of being a winner at the 2025 Global Infosec Awards…
10-Point AWS Security Checklist for Executives
Quickly assess your cloud security posture with this executive-ready checklist covering IAM, monitoring, and compliance essentials.
Anti-Phishing Playbook
Your free PDF guide to spotting and stopping phishing attacks before they reach your team or data.
24/7 Threat Detection & MAXImum Responsiveness
Our human-led MDR service combines expert insight and automation and AI for fast, precise threat response. Get full context in 2 minutes and cut MTTC to 15, staying ahead of ransomware and other attacks.
Calculate your MDR price
Pay only for the services you actually need, with no hidden costs.
10-Point AWS Security Checklist for Executives
Quickly assess your cloud security posture with this executive-ready checklist covering IAM, monitoring, and compliance essentials.
Anti-Phishing Playbook
Your free PDF guide to spotting and stopping phishing attacks before they reach your team or data.
Spot threats faster and respond smarter than tools alone
24/7 MDR and SOC services led by award-winning security experts. We act as an extension to your team or as a fully remote team, providing detailed threat insights and actionable responses to secure your environment immediately.
UnderDefense is an AWS Partner
We’re excited to announce that UnderDefense is now an AWS partner and available on AWS Marketplace…
Managed SOC at Your Service
Augment your SOC with 24/7 monitoring, threat detection, and expert response—without the overhead. Integrated with your existing tools, our SOCaaS stops attacks before they cause harm.
Managed SIEM Pricing Guide
Download a clear, practical overview of Managed SIEM pricing, featuring detailed breakdowns by service type, pricing model, real-world pros and cons, and key cost factors.
Managed SOC at Your Service
Augment your SOC with 24/7 monitoring, threat detection, and expert response—without the overhead. Integrated with your existing tools, our SOCaaS stops attacks before they cause harm.
Managed SIEM Pricing Guide
Download a clear, practical overview of Managed SIEM pricing, featuring detailed breakdowns by service type, pricing model, real-world pros and cons, and key cost factors.
BianLian ransomware recovery team on standby
Do NOT attempt to negotiate or pay the BianLian ransomware attackers—this can escalate demands and jeopardize your data. Instead, act swiftly by engaging UnderDefense’s expert incident response team to contain the breach, recover critical systems, and minimize business disruption.
Average Mttc
Ransom-Free recovery rate
Avoided in ransom
Global availability
Systems restored
IR experts
Ransomware cases resolved
IR experience
Do NOT attempt any self-remediation, as it can trigger further encryption and destroy recovery points. Instead, follow these steps:
Contact us now for urgent ransomware response assistance, 24/7
Get Help Now
Accomplishments and recognitions, demonstrating our commitment to excellence and innovation.
Momentum Leader in MDR
Best Support in MDR & IR
Managed Detection and Response (MDR)
Top Cybersecurity Company 2025
Best Managed Detection and Response Service
#4 of 184 teams Splunk Boss of the SOC
Best Of Cybersecurity Awards for Q1 2025
AWS Partner
Splunk Manage Premier Partner
Like a crime scene, a ransomware attack must be preserved — tampering with encrypted files, attempting self-recovery, or engaging with attackers can destroy critical evidence and reduce your chances of recovery.
Taking the right steps in the first moments after a BianLian attack can make a huge difference and help you make a full recovery. Request 24/7 BianLian ransomware recovery services to decrypt your data and maximize your chances of restoring operations.
Based on my research, I now have comprehensive information about BianLian ransomware to create the content. Let me write the introduction following the exact format provided.
Watch out for the key BianLian ransomware IOCs: disabled antivirus tools, suspicious RDP activity, Rclone or Mega installations in unusual folders, PowerShell scripts disabling AMSI, credential dumping from LSASS memory, and tools like PsExec, Advanced Port Scanner, or SharpShares running in your environment.
BianLian abandoned encryption after a free decryptor was released in January 2023, now focusing exclusively on data theft and threatening to leak stolen files via their dark web leak site.
Gains initial access through compromised Remote Desktop Protocol credentials acquired from initial access brokers or phishing campaigns, bypassing perimeter defenses.
Leverages PowerShell scripts and Windows Command Shell to disable Windows Defender, AMSI, and Sophos antivirus, while harvesting credentials and performing network reconnaissance.
Exfiltrates sensitive data using FTP, Rclone synced to cloud storage, or Mega file-sharing service before extortion, often installing tools in unchecked folders like programdata\vmware or music directories.
The ransom note directs you to download Tox messenger or contact via onionmail addresses, threatening to leak financial, client, business, technical, and personal files within days if payment isn't made.
Unfortunately, there is no publicly available decryptor for BianLian attacks that occurred after early 2023. While Avast released a decryptor in early 2023, BianLian responded by abandoning encryption entirely and shifting to pure data extortion. The good news — UnderDefense’s incident response team is on standby to contain the attack, eliminate the malware, prevent reinfection, and restore your systems using verified, uncompromised backups so you can safely resume operations.
Important note: IOCs often change because BianLian constantly updates its tools. This list includes recurring, widely confirmed indicators based on FBI, CISA, ASD’s ACSC, Unit 42, and IR case data.
File extensions
BianLian originally used the .bianlian extension for encrypted files prior to January 2023. Since shifting to extortion-only operations in early 2023, the group no longer encrypts files.
Ransom note filenames
BianLian ransom notes typically appear as:
Look at this instruction.txt
README.txt (in various directories)
*The exact filenames may vary by incident.
BianLian hashes
These are SHA256 hashes used for BianLian backdoor payloads in known attacks:
7b15f570a23a5c5ce8ff942da60834a9d0549ea3ea9f34f900a09331325df893
c775e6d87a3bcc5e94cd055fee859bdb6350af033114fe8588d2d4d4f6d2a3ae
df51b7b031ecc7c7fa899e17cce98b005576a20a199be670569d5e408d21048c
These encryptor variants were used before the group shifted to extortion-only:
1fd07b8d1728e416f897bef4f1471126f9b18ef108eb952f4b75050da22e8e43
af46356eb70f0fbb0799f8a8d5c0f7513d2f6ade4f16d4869f2690029b511d4f
3a2f6e614ff030804aa18cb03fcc3bc357f6226786efb4a734cbe2a3a1984b6f
BianLian tools
For EDR disabling:
PowerShell scripts (AMSI bypass)
Registry modifications (Sophos tamper protection)
For credential dumping:
Impacket (secretsdump.py portable executable)
LSASS memory dumping via comsvcs.dll
SAM registry hive extraction
SessionGopher (RAT session extraction)
For reconnaissance:
Advanced Port Scanner (Famatech)
SoftPerfect Network Scanner (netscan.exe)
SharpShares (network share enumeration)
PingCastle (Active Directory mapping)
For data exfiltration:
Rclone
FTP
Mega file-sharing service
Custom Go-based backdoor
For lateral movement:
PsExec
RDP with compromised credentials
SMB/Windows Admin Shares
Impacket tools
Malware:
Custom Go-based backdoor (multiple variants)
Custom .NET enumeration tool
exp.exe (possible NetLogon CVE-2020-1472 exploit)
Most common red flag
BianLian almost always runs credential harvesting commands:
cmd.exe /Q /c for /f “tokens=1,2 delims= ” %A in (‘”tasklist /fi “Imagename eq lsass.exe” | find “lsass””‘) do rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump %B \Windows\Temp\<file>.csv full
*If you detect LSASS dumping or SAM registry extraction, data exfiltration is imminent.
Attack vector | % of BianLian incidents | Notes |
Compromised RDP | 40–45% | Stolen credentials from initial access brokers |
Exploited vulnerabilities | 25–30% | ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) |
Phishing | 15–20% | Credential harvesting campaigns |
VPN compromise | 8–12% | Targeting VPN providers with weak authentication |
Web shells | 5–8% | Deployed on Exchange servers for persistence |
BianLian is unpredictable and extremely dangerous, especially after their operational shift.
Since January 2023, BianLian stopped encrypting files entirely and moved to pure extortion. They steal massive amounts of data and threaten to publish it within 3–10 days if payment isn’t made. The group follows through on threats — they regularly update their leak site with victim data and have been known to contact employees, partners, and clients directly via phone and email to increase pressure.
Unlike traditional ransomware groups, there is no decryptor to negotiate for. Once data is stolen, you’re entirely dependent on their word that they’ll delete it after payment. Many victims report continued extortion attempts even after paying.
BianLian also escalates pressure through physical mail, phone calls to employees, and printing ransom notes on compromised network printers.
Note: Attempting to remove BianLian malware and self-remedy may lead to greater data loss and continued unauthorized access.
To remove BianLian, immediately engage BianLian ransomware removal experts to guide your response and ensure no critical steps are missed. Then, begin by isolating all affected systems: disconnect compromised machines from the network (disable Wi-Fi, unplug Ethernet cables, and block their IPs at the firewall).
Next, perform a comprehensive forensic analysis to uncover the depth of the breach. Use endpoint detection and response (EDR) tools to trace the attacker’s path. Collect and review indicators of compromise (IOCs), including the custom Go-based backdoor, scheduled tasks running as SYSTEM, registry modifications, SAM/LSASS dumps, and any Advanced Port Scanner or Rclone installations. After mapping the intrusion, reimage all infected devices using clean, verified system images.
Finally, rely on BianLian ransomware removal and recovery experts to validate the cleanup, conducting rootkit scans, reviewing system configurations, rotating all compromised credentials (especially RDP, VPN, and domain admin accounts), removing unauthorized accounts (local, domain, and Azure AD), and reinforcing your security posture. Their specialized knowledge ensures thorough removal and helps prevent future incidents through strategic hardening and lessons learned.
To recover from BianLian ransomware, follow these essential steps:
Immediately isolate affected machines to stop data exfiltration and lateral movement, then only reintroduce them into production once you’ve verified clean restorations and confirmed there’s no lingering malware or backdoors.
Recover your data exclusively from offline, write-protected backups, and validate their integrity by checking checksums and performing test restores in a controlled environment before full restoration.
Perform a thorough post-incident review to map the complete attack chain from initial access through exfiltration, then harden or rotate all credentials (especially RDP, VPN, domain admin, and service accounts) and remove any unauthorized accounts created by the attackers.
Bring in external IR specialists to audit your environment, ensure complete BianLian eradication, assess the scope of data stolen, and help update your incident-response and business-continuity plans to address extortion-without-encryption scenarios.
BianLian ransom demands typically range from $100,000 to $350,000, with larger enterprises facing demands up to $500,000 or more, depending on the size of the victim organization and the amount of data stolen. Ransoms are almost always demanded in Bitcoin.
Because BianLian conducts pure data extortion (no encryption since early 2023), victims face a single but severe financial threat:
The cost of leaked, stolen, or destroyed data
Regulatory penalties for data breach violations
Reputational damage from public disclosure
Organizations should never attempt ransom negotiation alone — BianLian is known to escalate threats within 3–10 days, publish data when provoked, contact employees and clients directly, and may continue extortion even after payment if communication is mishandled.
Average ransom:
Small business: $100,000 – $200,000
Medium business: $200,000 – $350,000
Large enterprise: $350,000 – $500,000+
10 reasons why you should choose the UnderDefense ransomware recovery consulting services:
Get Help NowBianLian is a highly active data extortion group that emerged in 2022 and has rapidly become one of the most prolific threats in the cybercrime landscape. Originally operating as a Ransomware-as-a-Service (RaaS) operation using double-extortion tactics, BianLian shifted its strategy in early 2023 after Avast released a free decryptor. The group now focuses exclusively on data theft and extortion without encrypting files, stealing sensitive corporate data and threatening to publish it on their dark-web leak site unless victims pay ransoms ranging from $250,000 to $500,000. BianLian primarily targets healthcare, manufacturing, and professional services sectors, with most victims located in the United States and Europe.
BianLian operates as a decentralized extortion collective believed to be based in Russia with multiple Russia-based affiliates, according to FBI and Australian intelligence assessments. The group uses Tor-based communication portals, anonymized infrastructure, and constantly shifting command-and-control servers to obscure their physical location and evade law enforcement. While their exact whereabouts remain unconfirmed, the group’s operational security, Russian-language artifacts in their tools, and targeting patterns strongly suggest Russian-speaking threat actors are behind the operation.
BianLian operators typically infiltrate networks through stolen Remote Desktop Protocol (RDP) credentials, compromised VPN access, ProxyShell vulnerability exploitation, or phishing campaigns. Once inside, attackers spend 4-21+ days conducting reconnaissance using tools like Advanced Port Scanner, dumping credentials from the Security Accounts Manager (SAM) registry, and moving laterally across the network. They deploy a custom Go-based backdoor via scheduled tasks using impacket, exfiltrate massive volumes of sensitive data, and then threaten to publish stolen information on their leak site. Unlike traditional ransomware, BianLian no longer encrypts files—they rely purely on the threat of data exposure to extort payment.
BianLian attacks unfold over weeks, not hours. The initial compromise and reconnaissance phase typically lasts 4-21+ days as attackers quietly map your network, steal credentials, exfiltrate data, and establish persistence. During this dwell time, they’re invisible to most security tools, methodically preparing for the extortion phase. Once data theft is complete, victims receive extortion demands with tight deadlines—often 10 days—to pay before stolen data is published on BianLian’s leak site. The entire attack lifecycle from initial access to public data exposure can span 2-4 weeks.
There is no official public list of BianLian victims, but confirmed cases are published on BianLian’s own dark-web leak site and subsequently reported by cybersecurity researchers, threat intelligence platforms, and media outlets tracking ransomware disclosures. Security teams often monitor these leak portals, CTI feeds from vendors like Unit 42 and Recorded Future, and DFIR reports to stay updated on newly named victims. BianLian has been consistently in the top 10 most active extortion groups throughout 2023-2025, with healthcare and manufacturing organizations bearing the brunt of attacks.
You can remove BianLian’s backdoor malware from infected systems, but that doesn’t solve your core problem—your data has already been stolen. Because BianLian shifted away from encryption to pure data extortion, there’s no decryptor needed and no files to recover. The real threat is the terabytes of sensitive data sitting in the attackers’ hands. Proper remediation requires professional incident response to fully eradicate the backdoor, close all access points, hunt for persistence mechanisms, and assess the scope of data exfiltration. Simply deleting the malware leaves your organization vulnerable to re-compromise and does nothing to prevent data publication.
When BianLian compromises your network, they operate silently for weeks—stealing credentials, mapping your infrastructure, and exfiltrating massive volumes of sensitive data including financial records, employee information, customer data, intellectual property, and confidential business documents. You may not know you’ve been breached until you receive an extortion demand via email, Tox messenger, or in some recent cases, a physical letter mailed to your CEO demanding $250,000-$500,000 in cryptocurrency. BianLian threatens to publish all stolen data on their leak site within 10 days if you don’t pay, exposing your organization to regulatory fines, lawsuits, reputational damage, and competitive harm.
BianLian attacks are best prevented through layered security controls: strictly limit RDP and remote desktop services with phishing-resistant MFA, patch ProxyShell and other critical vulnerabilities within 48 hours, deploy EDR with behavioral detection across all endpoints, implement 24/7 SIEM monitoring for credential dumping and lateral movement, segment networks to contain breaches, harden identity and privileged access management, secure VPN access with strong authentication, protect backups with immutability and offline copies, and conduct regular security awareness training focused on credential theft. Network visibility and threat hunting are critical since BianLian operates stealthily for weeks before extortion.
Here’s a BianLian prevention checklist to help your organization block, detect, and contain extortion attacks:
Strictly limit RDP access and enforce VPN with phishing-resistant MFA
Patch ProxyShell and critical vulnerabilities within 48 hours
Deploy EDR with behavioral threat protection on all endpoints
Enable 24/7 SIEM monitoring for SAM dumping and credential theft
Monitor for Advanced Port Scanner and impacket tool usage
Implement network segmentation to limit lateral movement
Restrict privileged access and enforce least-privilege principles
Protect backups with immutability and MFA-controlled access
Deploy data loss prevention (DLP) to detect mass exfiltration
Conduct regular IR tabletop exercises for extortion scenarios