top of page

BianLian Ransomware: How This Group Evolved Into a Data Extortion Threat

BianLian began as a typical ransomware group in 2022—encrypting systems and demanding payment for decryption.


But in 2023, the group shifted tactics entirely, dropping encryption in favour of pure data extortion. Instead of locking files, BianLian now focuses on stealing sensitive information and threatening to publish it unless a ransom is paid.

This shift reflects a wider trend in the ransomware landscape—one where disruption is no longer the goal, but reputational and regulatory pressure is.

At STORM Guidance, we help businesses respond to and recover from data extortion incidents like those carried out by BianLian, with expert-led containment, communication, and mitigation strategies.



How BianLian Operates


BianLian's approach is now built entirely around data theft and extortion. Their attacks are manually executed, highly targeted, and focus on extracting maximum leverage.

Their tactics typically include:

  • Initial access via compromised RDP, VPN, or phishing

  • Reconnaissance and lateral movement to identify high-value data

  • Data exfiltration of corporate, customer, or employee records

  • Extortion notices threatening to publish data on their leak site


No encryption is involved—so traditional ransomware defences like backups aren’t enough to stop the threat.



Who BianLian Targets


BianLian has targeted organisations across the US, UK, and Australia, with a focus on:

  • Healthcare, finance, and critical infrastructure

  • Mid-sized to large enterprises with large datasets

  • Organisations with undersecured remote access points


Victims are typically chosen based on their perceived willingness or ability to pay.



Why This Approach Matters


Encryptionless extortion means:

  • Business operations continue, but reputational damage is the main weapon

  • The focus shifts from IT to legal, PR, and compliance risk

  • Backups don’t help—the threat is data exposure, not downtime


This makes response more complex and places heavy pressure on leadership teams to make fast, informed decisions.



How to Protect Your Business from BianLian


✅ Enforce strong authentication and disable unnecessary remote access

✅ Monitor for abnormal data transfers or unauthorised outbound connections

✅ Segment networks to prevent unrestricted lateral movement

✅ Identify and classify sensitive data for better protection

✅ Prepare a crisis communication and regulatory response plan in advance



If Your Business Is Targeted by BianLian


If your organisation receives an extortion threat:

  • Do not engage directly with the threat actor

  • Preserve communications and logs for investigation

  • Assess data exposure risks and prepare disclosure statements if necessary

  • Contact an incident response team to manage legal, technical, and reputational aspects


STORM Guidance can support your business with:

✔ Fast incident triage and forensic investigation

✔ Expert-led data exposure and risk assessment

✔ Legal and compliance guidance

✔ Crisis comms strategy and negotiation support (if needed)



BianLian: A Sign of Where Ransomware Is Headed


BianLian represents the next generation of ransomware groups—where encryption isn’t necessary to cause harm.

With data exposure as the weapon of choice, your defences must go beyond backups and focus on detection, containment, and communication. STORM Guidance is here to help you prepare and respond with confidence.



Immediate Response Available

If you’re under attack, contact STORM Guidance now.



Recent Posts

See All

We respond to any cyber or fraud incident, globally

At STORM Guidance, we provide industry-leading expertise in ransomware response, cyber defence, and security resilience.

Whether you need urgent assistance or want to bolster your defences, our experts are here to help.

Contact the CyberCare team

If you would prefer to speak to the team, give us a call:

UK/Europe: +44-203-693-7480

Africa: +230-434-1277

USA: +1-703-232-9015

Your contact details will only be used in connection with this enquiry. Please read our Privacy Policy.

bottom of page