BianLian

BianLian is an extortion group first observed in Arete engagements in June 2022. Initially, the group operated with a double extortion model, but around January 2023, it shifted to an extortion-only model after a decryptor for its ransomware executable was released. Since then, BianLian has remained a data extortion-only threat group, typically gaining initial access via Remote Desktop Protocol (RDP) credentials or third-party remote access tools.
 

Notable TTPs

• BianLian has a Trojan developed in the Go programming language, which it uses to retain access to a victim’s environment. The Trojan’s use of Go enables quick modification of the code, evasion of detection, and increased difficulty for researchers to analyze.
• Since switching to extortion-only, BianLian is notorious for its highly aggressive pressure tactics and is known to repeatedly call and message employees of the victimized companies to get victims to pay the ransom.

 

Arete Analyst Notes

Although the BianLian extortion group is rarely among the most active groups month-to-month, it has remained a consistent threat since 2022. By focusing on data theft only, the group became proficient in impacting the highest average number of individuals in each data breach. Coupled with aggressive pressure tactics, this resulted in victims paying a ransom in 52% of all BianLian engagements in 2024, in contrast to just 29% of engagements for all threat groups combined. Given its extortion successes, we anticipate the group will remain a persistent threat throughout 2025.

Since late February 2025, Arete has observed several incidents involving ransom letters sent via the postal service and claiming to be from BianLian. Information collected through Arete engagements and available open-source reporting has not definitively confirmed who is sending these letters, but Arete assesses that it is unlikely the ransom letters originated from the BianLian extortion group. Additionally, Arete has not discovered any indications of data exfiltration from the engagements we have investigated for clients who received one of these letters. On Thursday, March 6th the FBI issued a public service announcement which stated they found no connections to BianLian, and assessed the letters were likely a scam.