Is BianLian Ransomware Gang Moving to Straight Data Extortion?


March 17, 2023

World map

Researchers assess that the BianLian ransomware group may be shifting tactics focus from encrypting its victims' files to only exfiltrating data found on compromised networks and using them for extortion.

BianLian first emerged in the wild in summer of 2022, and successfully attacked several high-profile organizations before a free decryption tool was released to help victims recover files encrypted by ransomware.

“Redacted reports that BianLian operators have kept their initial access and lateral movement techniques the same and continue to deploy a custom Go-based backdoor that gives them remote access on the compromised device, albeit a slightly improved version of it,” Bleeping Computer reports.

“The main difference seen in recent attacks is that BianLian attempts to monetize its breaches without encrypting the victim's files. Instead, it now solely relies on threatening to leak the stolen data.”

Takeaway: Ransomware is a financially motivated crime. They want the money at any cost - and if they can reduce the resources required to be successful, they will. Attackers always consider ROI in their operations. So, if ransomware groups can achieve their goals by simplifying the attack and still achieve the same results, they will.  

Evidence that the BianLian group may be moving away from delivering ransomware payloads in favor of exfiltration and extortion shows how successful the double extortion strategy is for ransomware groups. In fact, it works so well that we will likely see more groups join the likes of BianLian (and Karakurt before them) opt to forego the hassle involved in developing and managing the encryption and decryption process in favor of a less complicated attack. is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.