BianLian Ransomware: Shifting focus to data theft and extortion

The ransomware organization known as BianLian has continued to exist and add new victims to their increasing victim list since July 2022. Ransomware gangs employ the “double extortion” strategy in BianLian to put more pressure on its victims. It entails security breaches, file encryption, and threats to expose stolen data.

However, through normal interaction between threat actors and victims, ransomware gangs learned that sensitive data leak was an even bigger financial incentive for victims. It also gave birth to ransomware operations like the late Babuk and SnapMC, as well as extortion schemes like RansomHouse, Donut, and Karakurt that claim not to utilize file encryption itself (or at all).

In summary, BianLian appears to have hit their stride in terms of the pace of their activities and continues to demonstrate a high degree of operational security and network penetration expertise. The gang has also been advancing its capacity to run a ransomware organization’s commercial side. But most significantly, BianLian has changed the focus of its assaults from extortion for data leaks to ransoming encrypted files in order to collect money from victims.

The BianLian ransomware organization now solely focuses on stealing data from hacked networks and exploiting it for extortion instead of encrypting the files of its victims. The ransomware operation known as BianLian is renowned for successfully infiltrating several prestigious companies. It has been observed to increasingly chooseto forgo encrypting victims’ data and instead focus on persuading victims to pay solely using an extortion demand in exchange for BianLian’s silence. This is in contrast to the typical double extortion model of encrypting files and threatening to leak data. After receiving payment, BianLian asserts that it would take steps to prevent data leaks in order to protect its “reputation.”

Between July 2022 and January 2023, BianLian operators provided data on about 14 victims, or 16% of all victims. After 48 hours of the hack, the disguised data is routinely released on extortion sites, giving the victims around 10 days to make a payment. In nations including the UK, Sweden, France, Austria, Spain, Germany, Turkey, and Switzerland, BianLian is well recognized for focusing on the healthcare, education, IT, and engineering sectors.