Menu
Browse

Cyber Threat Actor: BianLian

Actor Type Location Known Incidents
 Icon
Criminal
United States of America
4 incidents
Profile

The threat actor tracked under the aliases d0nut and BianLian has been observed operating from the United States of America. Their activity has been reported across the legal services, healthcare, and web hosting sectors. Observed operations involve ransomware deployment coupled with data exfiltration aimed at extorting payments from victim organizations, indicating a financially motivated agenda. The actors have engaged in negotiation attempts and have contacted clients of compromised firms to increase pressure for payment.

Initial access has been achieved through exploitation of unpatched Microsoft Exchange servers, phishing emails that harvest credentials, and taking advantage of outdated software vulnerabilities in web hosting environments such as cPanel and WordPress platforms. Once inside, the actors deploy ransomware that encrypts files while simultaneously exfiltrating sensitive data for leverage in negotiations. The ransomware used has not been publicly named, but the behavior includes demanding payment, contacting the victim’s clients to amplify pressure, and leaking portions of stolen data when ransom demands are not met. In some cases, the stolen credentials and source code have been repurposed to redirect customer websites for phishing and malware distribution.

A 2023 ransomware attack on UnitedLex resulted in the theft of approximately 200 GB of corporate contracts, payment details, and personnel information, followed by direct outreach to the firm's clients including DXC Technology, with the victim engaging forensic experts and notifying the FBI. In the same year, the group claimed responsibility for a ransomware incident at Montgomery General Hospital where attackers exploited a Microsoft Exchange vulnerability, deployed ransomware after infiltration, exfiltrated historical files containing patient information, employee records, and financial data, and issued a $750 000 ransom demand that was refused, leading to partial data leak, notification of affected individuals, and offers of credit monitoring while the hospital’s cloud‑based medical records remained secure. Earlier, in 2021, unauthorized access to OneDigital, a business associate of Anthem Inc., exposed protected health information of over two thousand individuals including names, addresses, Social Security numbers, dates of birth, and medical records, prompting notification and complimentary credit monitoring and identity theft protection services. Additionally, a multi‑year campaign against a major web hosting provider saw the actors repeatedly breach systems to steal source code and install malware, compromising cPanel shared hosting and WordPress environments, affecting millions of customers, exposing administrative credentials, email addresses, SSL private keys, and hosting account details, and using the stolen information to redirect customer sites for phishing and malware distribution, with law enforcement confirming the organized nature of the operation. No public attribution to a state sponsor or larger criminal consortium has been established in the available reporting.

Incidents
Attributed incidents available to members
4 incidents
Sources
Sources available to members
0 sources