Cyber Threat Actor: BianLian
| Actor Type | Location | Known Incidents |
Criminal
|
China
|
21 incidents |
|---|
Profile
BianLian, also known as BianLain, is a ransomware group primarily engaged in financially motivated cyber extortion operations. Publicly attributed incidents indicate the group targets a wide range of sectors, including healthcare, education, government services, manufacturing, and entertainment. Healthcare organizations feature prominently among their victims, with attacks on entities such as Save the Children International, Lifenet Healthcare, St. Rose Hospital, and Murfreesboro Medical Clinic. The group employs an exfiltration-based extortion model, stealing sensitive data and threatening public release unless ransoms are paid. This approach shifted from an earlier double-extortion tactic involving file encryption, as noted in a 2023 cybersecurity advisory by CISA, ACSC, and the FBI.
The group utilizes multiple initial access vectors, including phishing emails, exploit kits, and brute-force attacks against Remote Desktop Protocol (RDP) services. Once inside victim networks, BianLian actors deploy custom backdoors written in Go, conduct network enumeration, and use PowerShell and Windows Command Shell to disable antivirus tools. Data exfiltration occurs via FTP, Rclone, or Mega file-sharing services. Aggressive pressure tactics include printing ransom notes to network printers and making threatening phone calls to employees. Significant operations include the April 2023 theft of 6.8 TB of data from Save the Children International—containing personal, financial, and healthcare records—and the July 2024 attack on Fresnillo, the world’s largest silver producer, which caused IT system disruptions but no operational impacts. Other high-impact incidents involve the Piramal Group (870 GB of financial and technical data exfiltrated) and Parques Reunidos Group, where stolen employee passports and internal communications were leveraged for extortion. While some sources suggest potential connections to China, no definitive attribution to state actors or criminal consortiums has been publicly confirmed.
