BianLian is Changing Ransomware Group

BianLian is a Face Changing Chinese Opera, but it also appliess to a ransomware group that changes it’s attacks up a bit.

Palo Alto Unit42 has a report:

Unit 42 researchers have been tracking the BianLian ransomware group, which has been in the top 10 of the most active groups based on leak site data we’ve gathered. From that leak site data, we’ve primarily observed activity affecting the healthcare and manufacturing sectors and industries, and impacting organizations mainly in the United States (US) and Europe (EU).

We also observed that the BianLian group shares a small, customized tool in common with the Makop ransomware group. This shared tool indicates a possible connection between the two groups, which we will explore further.

BianLian has also recently moved from a double extortion scheme to one of extortion without encryption. Rather than encrypting their victims’ assets before stealing data and threatening to publish it if they do not pay the ransom, they’re now moving straight to stealing data to motivate victims to pay.

The Unit 42 Incident Response team has responded to several BianLian ransomware incidents since September 2022.

Then there is Cyberint BianLian information:

Targeted Sectors: The group displays a particular interest in sectors that possess sensitive data and the financial capability to meet substantial ransom demands. These sectors encompass:

  1. Financial institutions
  2. Government
  3. Professional Services
  4. Manufacturing
  5. Media & Entertainment
  6. Healthcare
  7. Education
  8. Legal

Targeted Countries: In terms of geographical focus, the group’s operations have a global reach, but a higher frequency of attacks is recorded in North America, followed by Asia and Europe. This may indicate that BianLian is directing its efforts toward regions with significant economic importance.

Notably, BianLian predominantly selects organizations located in the United States, accounting for approximately 60% of its targets. The United Kingdom (10%) and Canada (7%) follow as the next most frequently targeted victims of BianLian.

Recently attacks have been high frequency. In October 2023 the group targeted Dow Golub Remels & Beverly, Griffing, International Biomedical, Low Keng Huat, TNT Plastic Molding, Prasan Enterprises, PT Pelabuhan Indonesia III and Instron. In November they hit Plastic Molding Technology and the Jebsen Group. Finally, December has kicked off to a busy start with hits on Akumin, Acero Engineering, AMCO Proteins, the SML Group, Independent Recovery Resources, Commonwealth Capital and Greenbox Loans.


It is interesting which companies have been targeted, which industries and how.

How is important to know so that we can focus on a defense:

BianLian employs a multi-stage attack strategy. It typically gains initial access to a target system through spearphishing emails containing malicious attachments or links to compromised websites. Once inside, the malware establishes communication with its command and control (C2) server, fetching additional modules and tools. This enables it to escalate privileges and establish a lasting foothold in the compromised system.

Initial Access: BianLian’s initial access to networks often involves exploiting compromised Remote Desktop Protocol (RDP) credentials, potentially obtained from initial access brokers or via phishing.


This is not unusual, most attack groups try to enter with spearphishing or regular phishing, as spear phishing is just more targeted. Spear phishing is a highly crafted email to get you to click on the link.

As I mention in my book “Too Late You’re Hacked” how are the attackers making money? And how can they make  more money every year? More attacks of course, and more sophisticated attacks.

We are not going to see yesterday’s attacks from BianLian. BianLian will create new attacks – that will “change face”


I got the above images from a youtube video on Chinese Sichuan Opera.

Some talented performers can change faces 10 times in 2 minutes.  I am sure the ransomware group got some inspiration from their opera to also change quickly  so as to be undetected.

The guidebook for “Too Late You’re Hacked” will help you find the fake spearphishing emails with examples .