This transition to focusing solely on data exfiltration-based extortion began in January 2024, following an earlier move to this model in January 2023 after the release of a decryptor by Avast.

Notably, BianLian had been using encryption until late 2023 but has since abandoned these practices entirely.

The group has also claimed recent breaches against various organizations, including a Japanese sportswear manufacturer and a Texas clinic, although these claims remain unverified.

In response to the threats posed by BianLian, CISA recommends that organizations limit RDP usage, disable command-line permissions, and restrict PowerShell on Windows systems.

Additionally, BianLian employs evasion techniques such as renaming binaries to mimic legitimate Windows services, using PowerShell for data compression before exfiltration, and printing ransom notes directly on victim printers.

This update follows a joint advisory from May 2023 that highlighted BianLian's evolving methods, including the use of stolen Remote Desktop Protocol (RDP) credentials and custom backdoors.

To further obscure their operations, BianLian uses foreign-language names, although it is believed that their primary operators are based in Russia.

Active since 2022, BianLian has victimized 154 organizations in 2024, primarily targeting small to medium-sized companies, with significant breaches affecting entities like Air Canada and Boston Children's Health Physicians.

The BianLian ransomware operation has shifted from traditional file encryption tactics to a data theft extortion model, as reported by U.S. and Australian cybersecurity agencies.

BianLian employs new techniques that include targeting Windows and ESXi infrastructure, exploiting known vulnerabilities such as ProxyShell and CVE-2022-37969, and using tools like Ngrok to obscure their traffic.