HOMETHREATSbianlian
RANSOMWARE OPERATION💰 FINANCIAL

bianlian

Intelligence Profile

BianLian ransomware operations began in late 2021. The group practices multi-pronged extortion, demanding payment for a decryptor, as well as the non-release of stolen data. The ransomware group hosts a public, TOR-based, blog to post victim identities and stolen data. Somewhat unique to BianLian at the time of their launch was their inclusion of an I2P mirror for their blog.

Threat Analysis

bianlian is a ransomware operation that deploys encryption-based extortion against organizations globally. This group maintains a data leak site (DLS) to pressure victims into paying ransom demands.

Financially motivated threat actors like bianlian prioritize monetary gain through methods such as ransomware deployment, banking trojans, cryptocurrency theft, BEC scams, or credential harvesting for resale on underground markets.

Ransomware Victims (557)

CTIWATCH tracks 557 organizations claimed as victims by bianlian on its data leak site, with attack dates, sectors and countries.

View full victims list →

Quick Facts

TypeRansomware Operation
Motivation💰 financial

DLS Infrastructure

○ OFFLINEbianlianlbc5an4kgnay3opdemgcryg2kpfcbgczopmm3dnbz3uaunad.onion
○ OFFLINEbianlivemqbawcco4cx4a672k2fip3guyxudzurfqvdszafam3ofqgqd.onion
○ OFFLINEbianliaoxoeriowgqohcly4a6sbkpc3se2yvxgidxomxlpuhx5ehrpad.onion
● ONLINEbianlianvjr9vhy72f782342yvygfciusgfisgiygfs1bredw.i2p.

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.