A Ransomware Group That Stopped Encrypting
In early 2024, BianLian completed a strategic pivot that had been underway since mid-2023: they stopped encrypting victim data entirely. Instead, they now rely exclusively on data theft and the threat of publication to extract payments.
This is not a retreat. It is an optimization.
BianLian recognized that encryption-based ransomware carries significant operational overhead. You need to develop and maintain encryption malware, deal with decryption key management, provide "customer support" when victims pay but struggle with decryption tools, and absorb the reputational cost when decryptors fail. Meanwhile, data exfiltration is simpler, harder to detect, and the leverage it provides can be equally effective.
The shift tells us something important about where the broader ransomware ecosystem is heading.
BianLian's Background
BianLian first appeared in June 2022, initially operating a conventional double extortion model — encrypt data, steal data, demand payment for both decryption and non-publication. They were prolific, claiming victims across healthcare, professional services, manufacturing, and education.
The group's initial tooling was Go-based, which made it somewhat distinctive in a landscape dominated by C++ and Rust payloads. Their encryption was competent but not exceptional, and Avast released a free decryptor in January 2023 that undermined their encryption-based revenue model.
Rather than investing in new encryption capabilities, BianLian pivoted. By the second half of 2023, the vast majority of their operations involved data theft without encryption. By 2024, encryption was gone from their playbook entirely.
How the Data-Only Model Works
BianLian's current operation follows a streamlined workflow:
Access and Persistence
Initial access comes primarily through compromised Remote Desktop Protocol (RDP) credentials, VPN vulnerabilities, and ProxyShell-type Exchange Server exploits. BianLian affiliates are known to purchase access from initial access brokers, suggesting a mature operational structure.
Once inside, they establish persistence through custom backdoors, scheduled tasks, and legitimate remote access tools. They favor tools that blend with normal IT operations — AnyDesk, TeamViewer, and Atera are common.
Reconnaissance and Data Identification
BianLian operators spend significant time identifying high-value data before exfiltrating anything. They look for:
- Financial records and banking information
- Personally identifiable information (PII) of customers and employees
- Protected health information (PHI) in healthcare targets
- Intellectual property and trade secrets
- Legal documents, contracts, and internal communications
- Credentials and access tokens for connected systems
This targeting is deliberate. The more sensitive the data, the stronger the extortion leverage.
Exfiltration
Data exfiltration uses a mix of tools depending on the volume and environment. Common choices include rclone to cloud storage, custom FTP implementations, and even basic file transfer over encrypted channels. The group has been observed staging data in compressed archives before exfiltration to reduce transfer time and avoid triggering bandwidth-based alerts.
Extortion
After exfiltration, BianLian contacts the victim — typically through email to executive leadership — and presents evidence of the stolen data. Their leak site displays victim names, data descriptions, and sample files. They set deadlines and apply escalating pressure, sometimes contacting the victim's customers or partners directly.
The messaging is professional and calculated. They frame the payment as a reasonable business decision: pay a fraction of the potential regulatory fines, legal costs, and reputational damage that a data breach would cause.
Why Data-Only Extortion Works
The economics favor the attackers for several reasons:
No decryption overhead. Encryption-based ransomware groups face a paradox: if the victim pays, you need to provide working decryption. That means maintaining reliable malware, key management infrastructure, and support processes. Failures damage your reputation and reduce future payments. Data-only extortion eliminates this entire category of operational risk.
Harder to detect during the attack. Data exfiltration can look like normal network traffic, especially when using legitimate cloud storage services. Encryption, by contrast, generates distinctive I/O patterns that modern EDR tools can catch. By not encrypting, BianLian avoids triggering defenses optimized for ransomware.
Regulatory pressure does the work. GDPR, HIPAA, state breach notification laws, and similar regulations create real financial consequences for data breaches. BianLian does not need to threaten operational disruption — the threat of regulatory action and lawsuits provides sufficient leverage.
Victims may not even know what was taken. Without the obvious indicator of encrypted files, some victims may not discover the breach until BianLian contacts them. This delay increases the attacker's leverage and reduces the victim's options.
Implications for Defense
BianLian's evolution demands a shift in defensive thinking:
Encryption-focused detection is insufficient. If your ransomware defenses rely primarily on detecting encryption behavior — file modification patterns, extension changes, volume shadow copy deletion — you will miss data-only extortion entirely.
Data loss prevention becomes critical. DLP tools, network monitoring for unusual data transfers, and cloud access security brokers (CASBs) move from "nice to have" to essential. You need visibility into what data is leaving your network and where it is going.
Data classification matters. You cannot protect what you do not understand. Organizations need to know where their sensitive data lives, who has access to it, and what normal access patterns look like. Anomalous access to sensitive data stores should trigger investigation.
Identity security is the primary control. BianLian's initial access relies heavily on compromised credentials. Strong authentication — MFA, passwordless options, conditional access policies — closes the most common entry point.
Assume breach planning. When the threat model shifts from "encrypt and disrupt" to "steal and extort," your incident response plan needs to account for scenarios where the attacker was present for days or weeks without any visible impact. Tabletop exercises should include data-only extortion scenarios.
The Broader Trend
BianLian is not alone in this shift. Multiple ransomware groups have either added data-only extortion to their toolkit or pivoted away from encryption entirely. The trend reflects a maturing criminal ecosystem that optimizes for return on investment just like any other business.
For defenders, this means the threat landscape is becoming harder, not easier. You are no longer defending against an event (encryption) that is loud and unmistakable. You are defending against an operation (data theft) that is quiet, gradual, and designed to look like normal activity.
How Safeguard.sh Helps
BianLian's data-only model thrives in environments with poor visibility. Safeguard addresses this by providing comprehensive software supply chain transparency — you know exactly what components are deployed, what vulnerabilities exist, and where your exposure lies. When BianLian exploits a known vulnerability for initial access, Safeguard's continuous vulnerability monitoring ensures your team knows about the exposure before the attacker does. And because Safeguard integrates into CI/CD pipelines, it catches vulnerable components before they reach production, reducing the attack surface that groups like BianLian rely on.