Since its emergence in June 2022, the BianLian ransomware group has focused on targeting critical infrastructure sectors across the US, Australia, and other regions, rapidly becoming a formidable cyber threat.

Initially employing a double-extortion tactic, they shifted primarily to data exfiltration in early 2023 after encryption tools were neutralized by publicly available decryptors. BianLian uses legitimate Remote Desktop Protocol (RDP) credentials and open-source tools for data discovery and exfiltration, leveraging FTP, Rclone, and Mega to execute their operations.

The group has impacted over 118 organizations globally, with targets spanning financial services, healthcare, and education. Their activities drew major attention in March with a high-profile attack on a Spanish amusement park, and later spotlighted by international cybersecurity agencies including the FBI, CISA, and ACSC. A notable incident involved the theft of 6.8 TB of data from Save the Children International, highlighting the severe implications of their cyberattacks.