Threat Actor Profile
Critical
Cybercriminal
Description
BianLian ransomware operations began in late 2021. The group practices multi-pronged extortion, demanding payment for a decryptor, as well as the non-release of stolen data. The ransomware group hosts a public, TOR-based, blog to post victim identities and stolen data. Somewhat unique to BianLian at the time of their launch was their inclusion of an I2P mirror for their blog.
Confidence Score
Tags
ransomware
ransomware.live
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
MITRE ATT&CK Techniques (11)
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'added_date': None,
'client': '2003264@sit.singaporetech.edu.sg',
'description': 'BianLian ransomware operations began in late 2021. The group '
'practices multi-pronged extortion, demanding payment for a '
'decryptor, as well as the non-release of stolen data. The '
'ransomware group hosts a public, TOR-based, blog to post '
'victim identities and stolen data. Somewhat unique to '
'BianLian at the time of their launch was their inclusion of '
'an I2P mirror for their blog.',
'firstseen': '2022-07-14T00:20:23.051488+00:00',
'group': 'bianlian',
'has_negotiations': False,
'has_ransomnote': True,
'lastseen': '2025-03-31T15:57:33.563153+00:00',
'locations': [{'available': False,
'fqdn': 'bianliaoxoeriowgqohcly4a6sbkpc3se2yvxgidxomxlpuhx5ehrpad.onion',
'slug': 'http://bianliaoxoeriowgqohcly4a6sbkpc3se2yvxgidxomxlpuhx5ehrpad.onion',
'title': '',
'type': 'DLS'},
{'available': False,
'fqdn': 'bianlianlbc5an4kgnay3opdemgcryg2kpfcbgczopmm3dnbz3uaunad.onion',
'slug': 'http://bianlianlbc5an4kgnay3opdemgcryg2kpfcbgczopmm3dnbz3uaunad.onion',
'title': 'BianLian | Home',
'type': 'DLS'},
{'available': False,
'fqdn': 'bianlivemqbawcco4cx4a672k2fip3guyxudzurfqvdszafam3ofqgqd.onion',
'slug': 'http://bianlivemqbawcco4cx4a672k2fip3guyxudzurfqvdszafam3ofqgqd.onion',
'title': 'BianLian | Home',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 1,
'tiaras_metadata': {'has_negotiations': False,
'has_ransomnote': True,
'locations': [{'available': False,
'fqdn': 'bianliaoxoeriowgqohcly4a6sbkpc3se2yvxgidxomxlpuhx5ehrpad.onion',
'slug': 'http://bianliaoxoeriowgqohcly4a6sbkpc3se2yvxgidxomxlpuhx5ehrpad.onion',
'title': '',
'type': 'DLS'},
{'available': False,
'fqdn': 'bianlianlbc5an4kgnay3opdemgcryg2kpfcbgczopmm3dnbz3uaunad.onion',
'slug': 'http://bianlianlbc5an4kgnay3opdemgcryg2kpfcbgczopmm3dnbz3uaunad.onion',
'title': 'BianLian | Home',
'type': 'DLS'},
{'available': False,
'fqdn': 'bianlivemqbawcco4cx4a672k2fip3guyxudzurfqvdszafam3ofqgqd.onion',
'slug': 'http://bianlivemqbawcco4cx4a672k2fip3guyxudzurfqvdszafam3ofqgqd.onion',
'title': 'BianLian | Home',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 1,
'ransomware_live_group': 'bianlian',
'tools': {'CredentialTheft': ['RDP Recognizer'],
'DefenseEvasion': [],
'DiscoveryEnum': ['Advanced IP Scanner',
'Advanced Port Scanner',
'PingCastle',
'SharpShares',
'SoftPerfect NetScan',
'WKTools'],
'Exfiltration': ['MEGA', 'RClone'],
'LOLBAS': ['PsExec'],
'Networking': [],
'Offsec': ['Impacket'],
'RMM-Tools': ['AnyDesk',
'AmmyyAdmin',
'Atera',
'ScreenConnect',
'Splashtop',
'TeamViewer']},
'url': 'https://www.ransomware.live/group/bianlian',
'victims': 552,
'vulnerabilities': []},
'tiaras_source': 'ransomware.live',
'tools': {'CredentialTheft': ['RDP Recognizer'],
'DefenseEvasion': [],
'DiscoveryEnum': ['Advanced IP Scanner',
'Advanced Port Scanner',
'PingCastle',
'SharpShares',
'SoftPerfect NetScan',
'WKTools'],
'Exfiltration': ['MEGA', 'RClone'],
'LOLBAS': ['PsExec'],
'Networking': [],
'Offsec': ['Impacket'],
'RMM-Tools': ['AnyDesk',
'AmmyyAdmin',
'Atera',
'ScreenConnect',
'Splashtop',
'TeamViewer']},
'ttps': [{'tactic_id': 'TA0002',
'tactic_name': 'Execution',
'techniques': [{'technique_details': 'An adversary may rely upon '
'specific actions by a user in '
'order to gain execution.',
'technique_id': 'T1204',
'technique_name': 'User Execution'},
{'technique_details': 'Adversaries may abuse command '
'and script interpreters to '
'execute commands, scripts, or '
'binaries.',
'technique_id': 'T1059',
'technique_name': 'Command and Scripting '
'Interpreter'}]},
{'tactic_id': 'TA0005',
'tactic_name': 'Defense Evasion',
'techniques': [{'technique_details': 'Adversaries may employ '
'various means to detect and '
'avoid virtualization and '
'analysis environments.',
'technique_id': 'T1497',
'technique_name': 'Virtualization/Sandbox Evasion'},
{'technique_details': 'Adversaries may perform '
'software packing or virtual '
'machine software protection '
'to conceal their code.',
'technique_id': 'T1027.002',
'technique_name': 'Software Packing'},
{'technique_details': 'Adversaries may attempt to '
'manipulate features of their '
'artifacts to make them appear '
'legitimate or benign to users '
'and/or security tools.',
'technique_id': 'T1036',
'technique_name': 'Masquerading'}]},
{'tactic_id': 'TA0007',
'tactic_name': 'Discovery',
'techniques': [{'technique_details': 'An adversary may attempt to '
'get detailed information '
'about the operating system '
'and hardware, including '
'version, patches, hotfixes, '
'service packs, and '
'architecture.',
'technique_id': 'T1082',
'technique_name': 'System Information Discovery'},
{'technique_details': 'Adversaries may enumerate '
'files and directories or may '
'search in specific locations '
'of a host or network share '
'for certain information '
'within a file system.',
'technique_id': 'T1083',
'technique_name': 'File and Directory Discovery'},
{'technique_details': 'Adversaries may attempt to '
'get a listing of security '
'software, configurations, '
'defensive tools, and sensors '
'that are installed on a '
'system or in a cloud '
'environment.',
'technique_id': 'T1518.001',
'technique_name': 'Security Software Discovery'},
{'technique_details': 'Adversaries may attempt to '
'gather information about '
'attached peripheral devices '
'and components connected to a '
'computer system.',
'technique_id': 'T1120',
'technique_name': 'Peripheral Device Discovery'}]},
{'tactic_id': 'TA0040',
'tactic_name': 'Impact',
'techniques': [{'technique_details': 'Adversaries may encrypt data '
'on target systems or on large '
'numbers of systems in a '
'network to interrupt '
'availability to system and '
'network resources.',
'technique_id': 'T1486',
'technique_name': 'Data Encrypted for Impact'}]},
{'tactic_id': 'TA0008',
'tactic_name': 'Lateral Movement',
'techniques': [{'technique_details': 'Adversaries may move onto '
'systems, possibly those on '
'disconnected or air-gapped '
'networks, by copying malware '
'to removable media and taking '
'advantage of Autorun features '
'when the media is inserted '
'into a system and executes.',
'technique_id': 'T1091',
'technique_name': 'Replication Through Removable '
'Media'}]}],
'url': 'https://www.ransomware.live/group/bianlian',
'victims': 552,
'vulnerabilities': []}