// group profile

bianlian

Inactive

BianLian ransomware operations began in late 2021. The group practices multi-pronged extortion, demanding payment for a decryptor, as well as the non-release of stolen data. The ransomware group hosts a public, TOR-based, blog to post victim identities and stolen data. Somewhat unique to BianLian at the time of their launch was their inclusion of an I2P mirror for their blog.

552

Victims

Sites

Victims (552)

Live

CMC Technology Group

bianlianVietnam

Meridian Senior

bianlianUnited States

Saunders and Saunders

bianlianUnited Kingdom

Sonrisas Dental Health

bianlianUnited States

Goshen Medical Center

bianlianUnited States

Allworx

bianlianUnited States

Island Realty

bianlianUnited States

Minnesota Orthodontics

bianlianUnited States

Keystone Pacific Property Management LLC

bianlianUnited States

Mosley Glick O’Brien, Inc.

bianlianUnited States

Legal Aid Society of Salt Lake

bianlianUnited States

Ewald Consulting

bianlianUnited States

Alabama Ophthalmology Associates

bianlianUnited States

Aspire Rural Health System

bianlianUnited States

Nash Brothers Construction

bianlianUnited States

Nippon Steel USA

bianlianUnited States

Financial Services of America, Inc.

bianlianUnited States

Layfield & Borel CPA's L.L.C

bianlianUnited States

Dain, Torpy, Le Ray, Wiest & Garner, P.C.

bianlianUnited States

D-7 Roofing

bianlianUnited States

Recievership Specialists

bianlianUnited States

Dash Business

bianlian

Hall Chadwick

bianlianAustralia

NESCTC Security Services

bianlianUnited States

C & R Molds Inc

bianlianUnited States

Known Leak Sites

bianlivemqbawcco4cx4a672k2fip3guyxudzurfqvdszafam3ofqgqd.onionDLS

bianlianlbc5an4kgnay3opdemgcryg2kpfcbgczopmm3dnbz3uaunad.onionDLS

bianliaoxoeriowgqohcly4a6sbkpc3se2yvxgidxomxlpuhx5ehrpad.onionDLS

Top Targeted Countries

United States167

Canada15

India12

United Kingdom8

Australia8

MITRE ATT&CK

View all

T1486Data Encrypted for Impact

Shifted to data exfiltration-only in 2023

T1078Valid Accounts

Targets compromised RDP and VPN credentials

T1059.001PowerShell

Uses PowerShell for reconnaissance

T1567.002Exfiltration to Cloud Storage

Exfiltrates data to cloud services

T1021.001Remote Desktop Protocol

RDP for lateral movement

Activity

Total victims552

Countries affected24

Last seenNo recent activity

Explore

→

Ransomware NewsRelated articles

→

Check DecryptorsFree tools

→

Payment DataRansom tracking

→

MITRE ATT&CKTechniques

→

Live MapGlobal view

Source: ransomware.live|Refreshes every 5 min