BianLian Ransomware Gang Continues to Evolve

Executive Summary

Since our initial report on the ransomware group known as BianLian, we have continued to keep an eye on their activities. Unfortunately, and sadly not surprisingly, the group continues to operate and add to their ever-growing list of victims. Having continued to research BianLian for the past six months or so, we felt the time was right to share an update and some of our findings with the larger community.

In short, BianLian continues to exhibit a high level of operational security and skill in network penetration, seeming to have also found their stride in the pace of their operations. At the same time, the group has been improving their ability to operate the business side of a ransomware organization. Yet perhaps most notably, BianLian has shifted the main focus of their attacks away from ransoming encrypted files to focus more on data-leak extortion as a means to extract payments from victims. Furthermore, they have been attempting to amplify the effectiveness of these extortion threats by tailoring the messages delivered to specific victims in an effort to increase the pressure felt by the organizations.

Same Tactics and Techniques

Much like the old adage “If it ain’t broke, don’t fix it”, BianLian continues to use very similar Tactics, Techniques, and Procedures (TTPs) that were detailed in our first report to perform their initial access and lateral movement within a victim’s network. The group continues to maintain and deploy their custom backdoor, written in Go, which provides another means of remote access to a compromised network. While BianLian has made small tweaks here and there to their backdoor such as updating various support libraries and attempting to better hide in plain sight in some scenarios, the core functionality of their backdoor remains unchanged.

Command and Control Infrastructure

As we’ve learned more from watching the group, we have been able to get a better understanding of the temporal relationship of how BianLian will typically bring a command and control (C2) server online relative to the deployment of their custom backdoor. We have observed multiple instances where BianLian has compiled a backdoor within minutes of when they bring a C2 server online. Sometimes, the binary is created before the C2 is live while in other instances the order is reversed. With such a tight coupling of infrastructure and malware deployment, by the time a BianLian C2 is discovered it is likely that the group has already established a solid foothold into a victim’s network.

In terms of numbers, BianLian appears to have found their stride in the number of C2’s they require to sustain their operations. As figure 1 illustrates, the group appears to bring close to 30 new C2 servers online each month. Thus far in the first half of March, BianLian continues at pace, having already brought 11 new C2 servers online. With an average C2 lifespan of approximately two weeks, the total number of active C2 servers online at any given time is always in flux.

Figure 1 - C2 Servers Brought Online
Figure 1

Less Encryption, More Extortion

Perhaps one of the most interesting changes we’ve seen BianLian make to their operations is how they appear to have responded to Avast’s release of a decryption tool that would allow a victim of BianLian to decrypt and recover their files. While BianLian was quick to acknowledge the release of the decryption tool with a short and somewhat terse response posted on their leak site, the group has since chosen to remove the note (shown below for posterity.)

“If you have questions about Avast’s decryptor, you need to know that for each company we create an unique key. Avast published their decrypt tool for build released at summer 2022. It will corrupt any files encrypted by another builds.

For most companies we don’t use crypt and give to managers the opportunity to decide their security issues without notifying lawyers and government departments.

They have the right to decide themselves because third parties force them to company’s suicide.

After these notifications and cooperation company lose reputation and get financial losses in most cases.

So we recommend to write us ASAP and don’t lose time”

The release of the tool appears to have brought about a shift in how BianLian attempts to monetize the successful compromise of a victim. Rather than follow the typical double-extortion model of encrypting files and threatening to leak data, we have increasingly observed BianLian choosing to forgo encrypting victims’ data and instead focus on convincing victims to pay solely using an extortion demand in return for BianLian’s silence. The group promises that after they are paid, they will not leak the stolen data or otherwise disclose the fact the victim organization has suffered a breach. BianLian offers these assurances based on the fact that their “business” depends on their reputation.

“Our business depends on the reputation even more than many others. If we will take money and spread your information- we will have issues with payments in future. So, we will stick to our promises and reputation. That works in both ways: if we said that we will email all your staff and publicly spread all your data- we will.”

While the tactics (email, phone calls, and general harassment) and threats (release of stolen data, reputation damage, and embarrassment) BianLian employs to try and and extract a payment are similar with other ransomware groups, we have seen BianLian take the time to do their research to tailor the threat to their victims. In several instances, BianLian made reference to legal and regulatory issues a victim would face were it to become public that the organization had suffered a breach. The group has also gone so far as to include specific references to the subsections of several laws and statutes. While the applicability of the laws (to the victim and their data) referenced by BianLian would need to be assessed by the courts, at first glance, the laws referenced by the actors did in fact correspond to the jurisdiction where the victim was located. This attention to detail shows that the criminal gang is taking the extra time to tailor threats to their victims to maximize the pressure to pay the ransom.

As if harassing messages and references to seemingly accurate legal issues weren’t enough, BianLian has also increased the frequency in their use of a tactic popular among some ransomware groups: the posting of masked victim details to their leak site. In these scenarios, the ransomware group will post varying degrees of detail about a victim organization, typically masking all but a few letters from the company’s name while at the same time including high level details such as the victim’s industry vertical, geographical location, and revenue numbers.

While BianLian was known to use the masked victim pressure tactic prior to the release of the free decryption tool, the group’s use of the technique has exploded after the release of the tool. Between July 2022 and mid-January 2023, BianLian posted the masked details of victims 14 times. This accounted for 16% of the postings to their leak site during the nearly seven-month timeframe. In just the two months after the decryptor was released, BianLian has already posted details on 22 masked victims, accounting for over half of their postings at 53%.

The speed at which BianLian posts the masked details has also increased over time. If one is to accept the Date of Compromise listed by BianLian as accurate (is there honor amongst thieves?), the group averages just ten days from an initial compromise to ratcheting up the pressure on a victim by posting masked details. In some instances, BianLian appears to have posted masked details within 48 hours of a compromise.

With this shift in tactics, a more reliable leak site, and an increase in the speed of leaking victim data, it appears that the previous underlying issues of BianLian’s inability to run the business side of a ransomware campaign appear to have been addressed. Unfortunately, these improvements in their business acumen are likely the result of gaining more experience through their successful compromise of victim organizations.


In the ransomware space, the exact number of victims can never truly be known. However, as of March 13, 2023, BianLian details 118 victim organizations on their leak site. The group continues to take the time to categorize the industry vertical of their victims and tag the corresponding data. When looking at the data, as labeled by BianLian themselves, it is unfortunate to note that organizations that fall under the broader category of Healthcare represent the single largest industry vertical victimized by the group.

Figure 2 - Victim Industry as Labeled by BianLian
Figure 2

And while ransomware is an issue faced by organizations across the globe, in the case of BianLian, the overwhelming majority of their victims are those located within the United States.

Figure 3 - Victim Organization by Country
Figure 3


As we track BianLian’s activities, we continue to gather evidence for attribution. While we have a working theory based on some promising indicators, we believe it would be irresponsible to make any public statements at this time. We value our analytic integrity and will wait until we have enough high-confidence evidence before making any statements of attribution.

Indicators of Compromise


  • 076e59781d0759de35022291c3d63bbf4227bd79561d80f52c9073a6278c5077
  • 0772fb1102685def711ffe647080e1a9b6597fe60e8f1afe7b457ac97c6ac25e
  • 16cbfd155fb44c6fd0f9375376f62a90ac09f8b7689c1afb5b9b4d3e76e28bdf
  • 183b28fb93db1c907b32aa9fa2f83c7b0ebcc6724de85707a89e5d03c5be5d12
  • 1cba58f73221b5bb7930bfeab0106ae5415e70f49a595727022dcf6fda1126e9
  • 207078c70be916bb7d2ad4d206d2dca37406f84313f88699fa57fa9745a055bb
  • 228ef7e0a080de70652e3e0d1eab44f92f6280494c6ba98455111053701d3759
  • 38d6ec5f93f6722c3573989f1463fb1cba1c01c3a1a0579f329e0d625c57070b
  • 42b0606aa2c765c0b0789b47ebd3a3f43144dc0c20b2ff6db648ac5feb0a37a3
  • 45f76c5c5126501018f907f886dd23a56dd882ee7d4f41c41d732612b2e4da88
  • 46fa9a69989b79b56495a1ece8a45d6d5ae43c600b8a13ef88f3eb9d84efda02
  • 487f0d748a13570a46b20b6687eb7b7fc70a1a55e676fb5ff2599096a1ca888c
  • 4ca84be5b6ab91694a0f81350cefe8379efcad692872a383671ce4209295edc7
  • 53095e2ad802072e97dbb8a7ccea03a36d1536fce921c80a7a2f160c83366999
  • 55016f61b9880be414cc4e1280d6bb620cfbe5e1e8e12e305a304d3dff7e209c
  • 597c492a5af56d935d360fcfd2c1e89928dde492c86975f2c5cc33ec90b042ce
  • 60b1394f3afee27701e2008f46d766ef466caa7711c45ddfd443a71efc39a407
  • 61dfe2ccdc7cee55cf0530064499a52bf93bc6c3d8996ed013fcc5692e94c73a
  • 667821f5996855bf83507fb1009f5d8d36c1258aa3c776106d453200f3bb0ed3
  • 77617775dc6fa8b893607d52c3282ece1912bcdd0b583b418399af2eade249b8
  • 7b15f570a23a5c5ce8ff942da60834a9d0549ea3ea9f34f900a09331325df893
  • 93953eef3fe8405d563560dc332135bfe5874ddeb373d714862f72ee62bef518
  • 93fb7f0c2cf10fb5885e03c737ee8508816c1102e9e3d358160b78e91fa1ebdb
  • 96e02ea8b1c508f1ee3c1535547f9b89396f557011e61478644ae5876cdaaca5
  • a8e999a7a77d3b9846250a34ebda7d80ea83a79b3714b1f7ac8f92bc52a895fd
  • a92dd4885af317d36cd62dac31d0d5c93febd367e8f4412e7593fb48c9f34256
  • ac1d42360c45e0e908d07e784ceb15faf8987e4ba1744d56313de6524d2687f7
  • adefaad2a9c449d0e9fabb5035422a6ce31d0f26b0109a7c2911f570a6c74144
  • afb7f11da27439a2e223e6b651f96eb16a7e35b34918e501886d25439015bf78
  • b4249f2effb8dd651458c831d38155346c1e2d30b191bf37197ffa5164d25f7c
  • ba3c4bc99b67038b42b75a206d7ef04f6d8abaf87a76c373d4dec85e73859ce2
  • c62371f129d19707870c0f9a89b0f8a65970aed02537e358e532e4416bc8678e
  • dcc7115496faa0797c32bb6d5d823821f19f5177e09e05dbe0151a6b9e1edfb7
  • dd03ea7ba369fc9df641c09f29e4abcb8378b5a8dadd3d7c14d47449525f1716
  • e136d635de39d23cef600cc53efd671f1e8aba7d982bde152b21ea1f7c04703e
  • e7e097723d00f58eab785baf30365c1495e99aa6ead6fe1b86109558838d294e
  • ea5c88fe464562227f483e8fc4eb2cf43e98a897aaaa3e94de4d236d5dc6e7e7
  • f3a4fb09a0498e7ab3b33338ca6bc03460e43d437d9f3afbfc1a521c1029ff19
  • f3f3c692f728b9c8fd2e1c090b60223ac6c6e88bf186c98ed9842408b78b9f3c
  • f6669de3baa1bca649afa55a14e30279026e59a033522877b70b74bfc000e276
  • f84edc07b23423f2c2cad47c0600133cab3cf2bd6072ad45649d6faf3b70ec30


  • 117a057829cd9abb5fba20d3ab479fc92ed64c647fdc1b7cd4e0f44609d770ea
  • 3a2f6e614ff030804aa18cb03fcc3bc357f6226786efb4a734cbe2a3a1984b6f
  • 46d340eaf6b78207e24b6011422f1a5b4a566e493d72365c6a1cace11c36b28b
  • 7f91e10c39e0a77c83af3ef48061cbb73194c793f9c3c8bc7fa1aa0fc75eb385
  • f77433e517f493ca54e6a4603e51739053ebfac03d2764ad9d1f7e00cfadefa0

Active IPs

  • 104.223.0[.]85
  • 104.234.118[.]129
  • 104.238.35[.]26
  • 155.94.160[.]243
  • 173.232.2[.]41
  • 185.99.133[.]112
  • 192.161.48[.]51
  • 204.152.203[.]94
  • 208.123.119[.]100
  • 35.157.43[.]44
  • 45.86.163[.]228
  • 52.53.186[.]224
  • 54.144.145[.]126
  • 66.85.156[.]83

Historical IPs

  • 102.129.214[.]35
  • 103.199.17[.]27
  • 103.20.235[.]122
  • 103.20.235[.]188
  • 104.200.67[.]156
  • 104.200.67[.]244
  • 104.200.67[.]31
  • 104.200.73[.]239
  • 104.216.17[.]42
  • 104.217.8[.]125
  • 104.225.168[.]249
  • 104.238.35[.]146
  • 104.238.57[.]205
  • 104.238.61[.]153
  • 104.238.61[.]218
  • 104.255.168[.]249
  • 138.124.183[.]149
  • 139.177.146[.]46
  • 139.177.146[.]46
  • 139.99.176[.]57
  • 139.99.52[.]102
  • 142.202.205[.]89
  • 144.208.127[.]155
  • 144.208.127[.]18
  • 146.19.173[.]121
  • 146.59.102[.]74
  • 146.70.161[.]27
  • 146.70.87[.]197
  • 146.71.81[.]102
  • 149.154.158[.]120
  • 149.154.158[.]153
  • 149.154.158[.]154
  • 149.154.158[.]56
  • 15.188.49[.]63
  • 157.254.194[.]223
  • 158.247.200[.]185
  • 158.255.215[.]58
  • 162.33.177[.]94
  • 167.114.188[.]41
  • 172.96.137[.]114
  • 172.96.137[.]153
  • 172.96.137[.]220
  • 172.96.137[.]224
  • 172.96.137[.]249
  • 172.96.137[.]29
  • 172.96.188[.]109
  • 172.96.188[.]52
  • 172.96.189[.]158
  • 173.254.204[.]78
  • 173.44.226[.]73
  • 18.159.131[.]209
  • 185.214.10[.]116
  • 185.243.112[.]166
  • 185.243.115[.]30
  • 185.56.137[.]117
  • 188.34.155[.]224
  • 192.161.48[.]60
  • 192.169.6[.]79
  • 192.52.167[.]135
  • 194.71.227[.]52
  • 195.201.127[.]139
  • 198.252.101[.]244
  • 198.252.109[.]40
  • 198.252.109[.]57
  • 198.252.109[.]78
  • 206.189.128[.]5
  • 208.123.119[.]230
  • 208.123.119[.]240
  • 208.123.119[.]48
  • 209.182.225[.]124
  • 212.46.38[.]118
  • 216.120.201[.]107
  • 216.146.25[.]60
  • 217.195.153[.]177
  • 23.163.0[.]168
  • 23.229.117[.]247
  • 3.134.86[.]154
  • 35.183.14[.]149
  • 37.220.31[.]104
  • 37.220.31[.]17
  • 37.235.54[.]42
  • 37.235.54[.]52
  • 44.212.9[.]14
  • 45.128.156[.]10
  • 45.128.156[.]3
  • 45.128.156[.]43
  • 45.145.186[.]188
  • 45.33.119[.]19
  • 45.56.165[.]17
  • 45.61.136[.]152
  • 45.66.249[.]118
  • 45.86.230[.]64
  • 46.246.96[.]53
  • 5.230.70[.]23
  • 5.230.72[.]245
  • 5.230.73[.]234
  • 5.230.73[.]37
  • 51.222.96[.]1
  • 52.87.206[.]242
  • 54.227.224[.]229
  • 66.85.147[.]22
  • 72.11.134[.]215
  • 81.17.28[.]71
  • 85.239.52[.]96
  • 85.239.53[.]168
  • 96.44.135[.]76
  • 96.44.156[.]206
  • 96.44.157[.]203

IP Context

Active C2s

IP AddressFirst Seen
104.223.0[.]85Early March
104.234.118[.]129Early March
104.238.35[.]26Early March
155.94.160[.]243Mid February
173.232.2[.]41Late February
185.99.133[.]112Late February
192.161.48[.]51Early March
204.152.203[.]94Mid March
208.123.119[.]100Mid March
35.157.43[.]44Late February
45.86.163[.]228Early March
52.53.186[.]224Mid March
54.144.145[.]126Mid March
66.85.156[.]83Late February

Historical C2s

IP AddressFirst SeenLast Seen
102.129.214[.]35Mid OctoberLate October
103.199.17[.]27Mid DecemberMid January
103.20.235[.]122Late OctoberEarly December
103.20.235[.]188Early SeptemberLate September
104.200.67[.]156Late JanuaryMid February
104.200.67[.]244Early FebruaryEarly March
104.200.67[.]31Early DecemberMid January
104.200.73[.]239Early FebruaryEarly March
104.216.17[.]42Early OctoberEarly November
104.217.8[.]125Mid NovemberMid December
104.225.168[.]249Late JanuaryMid February
104.238.35[.]146Early NovemberMid December
104.238.57[.]205Late NovemberLate December
104.238.61[.]153Late OctoberEarly November
104.238.61[.]218Mid OctoberLate November
104.255.168[.]249Mid JanuaryMid February
138.124.183[.]149Late JanuaryEarly March
139.177.146[.]46Early DecemberLate December
139.177.146[.]46Early DecemberLate December
139.99.176[.]57Mid NovemberMid December
139.99.52[.]102Late JanuaryEarly March
142.202.205[.]89Late OctoberEarly December
144.208.127[.]155Early DecemberMid January
144.208.127[.]18Early FebruaryEarly March
146.19.173[.]121Late OctoberMid November
146.59.102[.]74Late SeptemberLate October
146.70.161[.]27Mid DecemberMid January
146.70.87[.]197Mid SeptemberMid October
146.71.81[.]102Mid OctoberMid November
149.154.158[.]120Early JanuaryEarly February
149.154.158[.]153Late JanuaryEarly March
149.154.158[.]154Early DecemberMid January
149.154.158[.]56Early JanuaryEarly February
15.188.49[.]63Mid FebruaryLate February
157.254.194[.]223Early FebruaryEarly March
158.247.200[.]185Late SeptemberLate September
158.255.215[.]58Late OctoberLate November
162.33.177[.]94Late SeptemberLate October
167.114.188[.]41Late SeptemberLate October
172.96.137[.]114Mid SeptemberLate September
172.96.137[.]153Mid DecemberLate January
172.96.137[.]220Mid JanuaryLate February
172.96.137[.]224Early NovemberEarly December
172.96.137[.]249Mid DecemberMid January
172.96.137[.]29Mid DecemberLate January
172.96.188[.]109Late OctoberEarly December
172.96.188[.]52Early SeptemberLate September
172.96.189[.]158Mid NovemberLate December
173.254.204[.]78Mid DecemberEarly January
173.44.226[.]73Late DecemberLate January
18.159.131[.]209Late JanuaryMid February
185.214.10[.]116Mid JanuaryMid February
185.243.112[.]166Late JanuaryLate February
185.243.115[.]30Mid DecemberMid January
185.56.137[.]117Mid DecemberEarly January
188.34.155[.]224Early NovemberLate November
192.161.48[.]60Early DecemberEarly February
192.169.6[.]79Late DecemberLate January
192.52.167[.]135Late SeptemberMid October
194.71.227[.]52Late OctoberLate November
195.201.127[.]139Late OctoberMid November
198.252.101[.]244Mid OctoberLate November
198.252.109[.]40Late DecemberEarly February
198.252.109[.]57Early DecemberMid January
198.252.109[.]78Late OctoberEarly December
206.189.128[.]5Early OctoberMid November
208.123.119[.]230Late JanuaryLate February
208.123.119[.]240Mid NovemberMid December
208.123.119[.]48Mid NovemberMid December
209.182.225[.]124Late DecemberLate January
212.46.38[.]118Mid OctoberMid November
216.120.201[.]107Mid NovemberMid December
216.146.25[.]60Late JanuaryEarly March
217.195.153[.]177Late DecemberEarly February
23.163.0[.]168Mid NovemberEarly December
23.229.117[.]247Early DecemberLate January
3.134.86[.]154Late JanuaryLate February
35.183.14[.]149Mid FebruaryLate February
37.220.31[.]104Late DecemberEarly November
37.220.31[.]17Late JanuaryMid January
37.235.54[.]42Late OctoberEarly December
37.235.54[.]52Early NovemberLate November
44.212.9[.]14Late JanuaryLate February
45.128.156[.]10Late JanuaryLate February
45.128.156[.]3Mid DecemberLate November
45.128.156[.]43Early JanuaryEarly January
45.145.186[.]188Early FebruaryEarly March
45.33.119[.]19Early FebruaryMid February
45.56.165[.]17Late SeptemberLate September
45.61.136[.]152Early SeptemberLate September
45.66.249[.]118Late DecemberLate January
45.86.230[.]64Early OctoberLate October
46.246.96[.]53Mid NovemberMid December
5.230.70[.]23Late SeptemberLate September
5.230.72[.]245Mid FebruaryMid March
5.230.73[.]234Mid JanuaryMid February
5.230.73[.]37Mid DecemberMid January
51.222.96[.]1Mid NovemberMid December
52.87.206[.]242Late DecemberMid January
54.227.224[.]229Early MarchMid March
66.85.147[.]22Late NovemberLate December
72.11.134[.]215Early DecemberEarly January
81.17.28[.]71Early NovemberEarly December
85.239.52[.]96Late DecemberMid November
85.239.53[.]168Late SeptemberLate September
96.44.135[.]76Mid OctoberEarly November
96.44.156[.]206Early JanuaryMid February
96.44.157[.]203Mid DecemberMid February

If you need help reducing your risk of ransomware attacks and minimizing the impact they can have on your organization if they do occur, [redacted] stands ready to help. We have a passion for helping our clients to become tangibly more secure. We enable them to prevent most cyber incidents and be well prepared for emergencies that can’t be avoided. We have the depth of experience and expertise required to ensure that the solutions we provide are effective for your organization’s specific needs.


[r Authors

Portrait of Lauren Fievisohn

Lauren Fievisohn

  • Senior Threat Researcher

Lauren is a Senior Threat Researcher at [redacted] where she enjoys hunting for bad guys by understanding their tradecraft and infrastructure. Lauren holds a BS in Mathematics from The Ohio State University, a MS in Cyber Operations from the Air Force Institute of Technology, and a Ph.D. in Computer Science from the University of Tulsa.

Portrait of Brad Pittack

Brad Pittack

  • Senior Threat Researcher

Senior Threat Intelligence Analyst at [redacted] who spends his days trying to find the badness lurking in the tubes.

Portrait of Danny Quist

Danny Quist

  • Director of Special Projects

Danny Quist is the Director of Special Projects at [redacted]. He works on the research team developing new methods of reverse engineering, machine learning, and malware detonation. Previously he has worked for MIT Lincoln Laboratory and Los Alamos National Laboratory. He has presented at Blackhat, RSA, Defcon, and DFRWS.

Speak with our technical team.