BianLian began as a typical ransomware group in 2022—encrypting systems and demanding payment for decryption.

But in 2023, the group shifted tactics entirely, dropping encryption in favour of pure data extortion. Instead of locking files, BianLian now focuses on stealing sensitive information and threatening to publish it unless a ransom is paid.

This shift reflects a wider trend in the ransomware landscape—one where disruption is no longer the goal, but reputational and regulatory pressure is.

At STORM Guidance, we help businesses respond to and recover from data extortion incidents like those carried out by BianLian, with expert-led containment, communication, and mitigation strategies.

How BianLian Operates

BianLian's approach is now built entirely around data theft and extortion. Their attacks are manually executed, highly targeted, and focus on extracting maximum leverage.

Their tactics typically include:

• Initial access via compromised RDP, VPN, or phishing

• Reconnaissance and lateral movement to identify high-value data

• Data exfiltration of corporate, customer, or employee records

• Extortion notices threatening to publish data on their leak site

No encryption is involved—so traditional ransomware defences like backups aren’t enough to stop the threat.

Who BianLian Targets

BianLian has targeted organisations across the US, UK, and Australia, with a focus on:

• Healthcare, finance, and critical infrastructure

• Mid-sized to large enterprises with large datasets

• Organisations with undersecured remote access points

Victims are typically chosen based on their perceived willingness or ability to pay.

Why This Approach Matters

Encryptionless extortion means:

• Business operations continue, but reputational damage is the main weapon

• The focus shifts from IT to legal, PR, and compliance risk

• Backups don’t help—the threat is data exposure, not downtime

This makes response more complex and places heavy pressure on leadership teams to make fast, informed decisions.

How to Protect Your Business from BianLian

✅ Enforce strong authentication and disable unnecessary remote access

✅ Monitor for abnormal data transfers or unauthorised outbound connections

✅ Segment networks to prevent unrestricted lateral movement

✅ Identify and classify sensitive data for better protection

✅ Prepare a crisis communication and regulatory response plan in advance

If Your Business Is Targeted by BianLian

If your organisation receives an extortion threat:

• Do not engage directly with the threat actor

• Preserve communications and logs for investigation

• Assess data exposure risks and prepare disclosure statements if necessary

• Contact an incident response team to manage legal, technical, and reputational aspects

STORM Guidance can support your business with:

✔ Fast incident triage and forensic investigation

✔ Expert-led data exposure and risk assessment

✔ Legal and compliance guidance

✔ Crisis comms strategy and negotiation support (if needed)

BianLian: A Sign of Where Ransomware Is Headed

BianLian represents the next generation of ransomware groups—where encryption isn’t necessary to cause harm.

With data exposure as the weapon of choice, your defences must go beyond backups and focus on detection, containment, and communication. STORM Guidance is here to help you prepare and respond with confidence.

Immediate Response Available

If you’re under attack, contact STORM Guidance now.