What to do if you're hit by ransomware?

Do NOT attempt any self-remediation, as it can trigger further encryption and destroy recovery points. Instead, follow these steps:

1
Do NOT fix it yourself
2
Disconnect affected systems
3
Call us +1 332 331 8700

Contact us now for urgent ransomware response assistance, 24/7

Get Help Now
Frame

Experts. Finalists. Winners.

Accomplishments and recognitions, demonstrating our commitment to excellence and innovation.

Momentum Leader in MDR

Best Support in MDR & IR

Managed Detection and Response (MDR)

Top Cybersecurity Company 
2025

Best Managed Detection and Response Service

#4 of 184 teams Splunk Boss of the SOC

Best Of Cybersecurity Awards for Q1 2025

AWS Partner

Splunk Manage Premier Partner

Image (11) (1)

Why you shouldn’t attempt 
to fix it alone

Like a crime scene, a ransomware attack must be preserved — tampering with encrypted files, attempting self-recovery, or engaging with attackers can destroy critical evidence and reduce your chances of recovery.

Taking the right steps in the first moments after a BianLian attack can make a huge difference and help you make a full recovery. Request 24/7 BianLian ransomware recovery services to decrypt your data and maximize your chances of restoring operations.

Contact us now for urgent ransomware recovery assistance

Under attack?

Get Help Now

BianLian ransomware statistics & facts

BianLian decryptor
BianLian IOCs
BianLian vectors
Case outcomes
How to remove BianLian ransomware?
How to recover from BianLian ransomware?
Ransom amounts
BianLian decryptor

Unfortunately, there is no publicly available decryptor for BianLian attacks that occurred after early 2023. While Avast released a decryptor in early 2023, BianLian responded by abandoning encryption entirely and shifting to pure data extortion. The good news — UnderDefense’s incident response team is on standby to contain the attack, eliminate the malware, prevent reinfection, and restore your systems using verified, uncompromised backups so you can safely resume operations.

BianLian IOCs

Important note: IOCs often change because BianLian constantly updates its tools. This list includes recurring, widely confirmed indicators based on FBI, CISA, ASD’s ACSC, Unit 42, and IR case data.

File extensions
BianLian originally used the .bianlian extension for encrypted files prior to January 2023. Since shifting to extortion-only operations in early 2023, the group no longer encrypts files.

Ransom note filenames
BianLian ransom notes typically appear as:

Look at this instruction.txt
README.txt (in various directories)

*The exact filenames may vary by incident.

BianLian hashes
These are SHA256 hashes used for BianLian backdoor payloads in known attacks:

7b15f570a23a5c5ce8ff942da60834a9d0549ea3ea9f34f900a09331325df893
c775e6d87a3bcc5e94cd055fee859bdb6350af033114fe8588d2d4d4f6d2a3ae
df51b7b031ecc7c7fa899e17cce98b005576a20a199be670569d5e408d21048c

These encryptor variants were used before the group shifted to extortion-only:

1fd07b8d1728e416f897bef4f1471126f9b18ef108eb952f4b75050da22e8e43
af46356eb70f0fbb0799f8a8d5c0f7513d2f6ade4f16d4869f2690029b511d4f
3a2f6e614ff030804aa18cb03fcc3bc357f6226786efb4a734cbe2a3a1984b6f

BianLian tools
For EDR disabling:

PowerShell scripts (AMSI bypass)
Registry modifications (Sophos tamper protection)

For credential dumping:

Impacket (secretsdump.py portable executable)
LSASS memory dumping via comsvcs.dll
SAM registry hive extraction
SessionGopher (RAT session extraction)

For reconnaissance:

Advanced Port Scanner (Famatech)
SoftPerfect Network Scanner (netscan.exe)
SharpShares (network share enumeration)
PingCastle (Active Directory mapping)

For data exfiltration:

Rclone
FTP
Mega file-sharing service
Custom Go-based backdoor

For lateral movement:

PsExec
RDP with compromised credentials
SMB/Windows Admin Shares
Impacket tools

Malware:

Custom Go-based backdoor (multiple variants)
Custom .NET enumeration tool
exp.exe (possible NetLogon CVE-2020-1472 exploit)

Most common red flag
BianLian almost always runs credential harvesting commands:

cmd.exe /Q /c for /f “tokens=1,2 delims= ” %A in (‘”tasklist /fi “Imagename eq lsass.exe” | find “lsass””‘) do rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump %B \Windows\Temp\<file>.csv full

*If you detect LSASS dumping or SAM registry extraction, data exfiltration is imminent.

BianLian vectors

Attack vector

% of BianLian incidents

Notes

Compromised RDP

40–45%

Stolen credentials from initial access brokers

Exploited vulnerabilities

25–30%

ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207)

Phishing

15–20%

Credential harvesting campaigns

VPN compromise

8–12%

Targeting VPN providers with weak authentication

Web shells

5–8%

Deployed on Exchange servers for persistence

Powered By WP Table Builder
Case outcomes

BianLian is unpredictable and extremely dangerous, especially after their operational shift.

Since January 2023, BianLian stopped encrypting files entirely and moved to pure extortion. They steal massive amounts of data and threaten to publish it within 3–10 days if payment isn’t made. The group follows through on threats — they regularly update their leak site with victim data and have been known to contact employees, partners, and clients directly via phone and email to increase pressure.

Unlike traditional ransomware groups, there is no decryptor to negotiate for. Once data is stolen, you’re entirely dependent on their word that they’ll delete it after payment. Many victims report continued extortion attempts even after paying.

BianLian also escalates pressure through physical mail, phone calls to employees, and printing ransom notes on compromised network printers.

How to remove BianLian ransomware?

Note: Attempting to remove BianLian malware and self-remedy may lead to greater data loss and continued unauthorized access.

To remove BianLian, immediately engage BianLian ransomware removal experts to guide your response and ensure no critical steps are missed. Then, begin by isolating all affected systems: disconnect compromised machines from the network (disable Wi-Fi, unplug Ethernet cables, and block their IPs at the firewall).

Next, perform a comprehensive forensic analysis to uncover the depth of the breach. Use endpoint detection and response (EDR) tools to trace the attacker’s path. Collect and review indicators of compromise (IOCs), including the custom Go-based backdoor, scheduled tasks running as SYSTEM, registry modifications, SAM/LSASS dumps, and any Advanced Port Scanner or Rclone installations. After mapping the intrusion, reimage all infected devices using clean, verified system images.

Finally, rely on BianLian ransomware removal and recovery experts to validate the cleanup, conducting rootkit scans, reviewing system configurations, rotating all compromised credentials (especially RDP, VPN, and domain admin accounts), removing unauthorized accounts (local, domain, and Azure AD), and reinforcing your security posture. Their specialized knowledge ensures thorough removal and helps prevent future incidents through strategic hardening and lessons learned.

How to recover from BianLian ransomware?

To recover from BianLian ransomware, follow these essential steps:

Immediately isolate affected machines to stop data exfiltration and lateral movement, then only reintroduce them into production once you’ve verified clean restorations and confirmed there’s no lingering malware or backdoors.

Recover your data exclusively from offline, write-protected backups, and validate their integrity by checking checksums and performing test restores in a controlled environment before full restoration.

Perform a thorough post-incident review to map the complete attack chain from initial access through exfiltration, then harden or rotate all credentials (especially RDP, VPN, domain admin, and service accounts) and remove any unauthorized accounts created by the attackers.

Bring in external IR specialists to audit your environment, ensure complete BianLian eradication, assess the scope of data stolen, and help update your incident-response and business-continuity plans to address extortion-without-encryption scenarios.

Ransom amounts

BianLian ransom demands typically range from $100,000 to $350,000, with larger enterprises facing demands up to $500,000 or more, depending on the size of the victim organization and the amount of data stolen. Ransoms are almost always demanded in Bitcoin.

Because BianLian conducts pure data extortion (no encryption since early 2023), victims face a single but severe financial threat:

The cost of leaked, stolen, or destroyed data
Regulatory penalties for data breach violations
Reputational damage from public disclosure

Organizations should never attempt ransom negotiation alone — BianLian is known to escalate threats within 3–10 days, publish data when provoked, contact employees and clients directly, and may continue extortion even after payment if communication is mishandled.

Average ransom:

Small business: $100,000 – $200,000
Medium business: $200,000 – $350,000
Large enterprise: $350,000 – $500,000+

Our customers say it best

Contact us now for urgent ransomware recovery assistance

Under attack?

Get Help Now

Frequently asked questions

What is BianLian ransomware?

BianLian is a highly active data extortion group that emerged in 2022 and has rapidly become one of the most prolific threats in the cybercrime landscape. Originally operating as a Ransomware-as-a-Service (RaaS) operation using double-extortion tactics, BianLian shifted its strategy in early 2023 after Avast released a free decryptor. The group now focuses exclusively on data theft and extortion without encrypting files, stealing sensitive corporate data and threatening to publish it on their dark-web leak site unless victims pay ransoms ranging from $250,000 to $500,000. BianLian primarily targets healthcare, manufacturing, and professional services sectors, with most victims located in the United States and Europe.

Where is the BianLian ransomware gang located?

BianLian operates as a decentralized extortion collective believed to be based in Russia with multiple Russia-based affiliates, according to FBI and Australian intelligence assessments. The group uses Tor-based communication portals, anonymized infrastructure, and constantly shifting command-and-control servers to obscure their physical location and evade law enforcement. While their exact whereabouts remain unconfirmed, the group’s operational security, Russian-language artifacts in their tools, and targeting patterns strongly suggest Russian-speaking threat actors are behind the operation.

How does BianLian ransomware work?

BianLian operators typically infiltrate networks through stolen Remote Desktop Protocol (RDP) credentials, compromised VPN access, ProxyShell vulnerability exploitation, or phishing campaigns. Once inside, attackers spend 4-21+ days conducting reconnaissance using tools like Advanced Port Scanner, dumping credentials from the Security Accounts Manager (SAM) registry, and moving laterally across the network. They deploy a custom Go-based backdoor via scheduled tasks using impacket, exfiltrate massive volumes of sensitive data, and then threaten to publish stolen information on their leak site. Unlike traditional ransomware, BianLian no longer encrypts files—they rely purely on the threat of data exposure to extort payment.

How long do BianLian ransomware attacks last?

BianLian attacks unfold over weeks, not hours. The initial compromise and reconnaissance phase typically lasts 4-21+ days as attackers quietly map your network, steal credentials, exfiltrate data, and establish persistence. During this dwell time, they’re invisible to most security tools, methodically preparing for the extortion phase. Once data theft is complete, victims receive extortion demands with tight deadlines—often 10 days—to pay before stolen data is published on BianLian’s leak site. The entire attack lifecycle from initial access to public data exposure can span 2-4 weeks.

Where can I find a BianLian victims list?

There is no official public list of BianLian victims, but confirmed cases are published on BianLian’s own dark-web leak site and subsequently reported by cybersecurity researchers, threat intelligence platforms, and media outlets tracking ransomware disclosures. Security teams often monitor these leak portals, CTI feeds from vendors like Unit 42 and Recorded Future, and DFIR reports to stay updated on newly named victims. BianLian has been consistently in the top 10 most active extortion groups throughout 2023-2025, with healthcare and manufacturing organizations bearing the brunt of attacks.

Can BianLian ransomware be deleted?

You can remove BianLian’s backdoor malware from infected systems, but that doesn’t solve your core problem—your data has already been stolen. Because BianLian shifted away from encryption to pure data extortion, there’s no decryptor needed and no files to recover. The real threat is the terabytes of sensitive data sitting in the attackers’ hands. Proper remediation requires professional incident response to fully eradicate the backdoor, close all access points, hunt for persistence mechanisms, and assess the scope of data exfiltration. Simply deleting the malware leaves your organization vulnerable to re-compromise and does nothing to prevent data publication.

What happens when you get hit by BianLian?

When BianLian compromises your network, they operate silently for weeks—stealing credentials, mapping your infrastructure, and exfiltrating massive volumes of sensitive data including financial records, employee information, customer data, intellectual property, and confidential business documents. You may not know you’ve been breached until you receive an extortion demand via email, Tox messenger, or in some recent cases, a physical letter mailed to your CEO demanding $250,000-$500,000 in cryptocurrency. BianLian threatens to publish all stolen data on their leak site within 10 days if you don’t pay, exposing your organization to regulatory fines, lawsuits, reputational damage, and competitive harm.

How can BianLian attacks be prevented?

BianLian attacks are best prevented through layered security controls: strictly limit RDP and remote desktop services with phishing-resistant MFA, patch ProxyShell and other critical vulnerabilities within 48 hours, deploy EDR with behavioral detection across all endpoints, implement 24/7 SIEM monitoring for credential dumping and lateral movement, segment networks to contain breaches, harden identity and privileged access management, secure VPN access with strong authentication, protect backups with immutability and offline copies, and conduct regular security awareness training focused on credential theft. Network visibility and threat hunting are critical since BianLian operates stealthily for weeks before extortion.

What is a BianLian prevention checklist?

Here’s a BianLian prevention checklist to help your organization block, detect, and contain extortion attacks:

Strictly limit RDP access and enforce VPN with phishing-resistant MFA
Patch ProxyShell and critical vulnerabilities within 48 hours
Deploy EDR with behavioral threat protection on all endpoints
Enable 24/7 SIEM monitoring for SAM dumping and credential theft
Monitor for Advanced Port Scanner and impacket tool usage
Implement network segmentation to limit lateral movement
Restrict privileged access and enforce least-privilege principles
Protect backups with immutability and MFA-controlled access
Deploy data loss prevention (DLP) to detect mass exfiltration
Conduct regular IR tabletop exercises for extortion scenarios