Skip to main content

Operator dossier

BianLian (also tracked as Hydra) is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 668 public victims claimed by this operator between July 14, 2022 and March 31, 2025. **Overview:** BianLian is a financially motivated ransomware group that emerged in July 2022, quickly establishing itself as a significant threat to organizations across multiple sectors. The group operates with a primary focus on extorting victims for financial gain through data encryption and exfiltration tactics. **Origin & Affiliation:** While the exact country of origin remains unconfirmed by public reporting, BianLian appears to operate as an independent ransomware group rather than following a traditional Ransomware-as-a-Service model. Security researchers have not established definitive links between BianLian and other known ransomware families or cybercriminal organizations. **Attack Methodology:** BianLian typically gains initial access through compromised Remote Desktop Protocol (RDP) credentials and exploits of public-facing applications, according to security researchers. The group employs double extortion tactics, stealing sensitive data before encrypting victim systems, and threatens to publish exfiltrated information on their leak site if ransom demands are not met. Their operations demonstrate sophisticated understanding of network environments and data exfiltration techniques. **Notable Campaigns:** Since its emergence, BianLian has successfully compromised over 670 organizations globally, with documented cases spanning critical infrastructure and major corporations across their primary target sectors. The group has been particularly active in targeting healthcare organizations, prompting attention from cybersecurity agencies due to the critical nature of these attacks. **Current Status:** As of recent threat intelligence reporting, BianLian remains an active ransomware threat, continuing to target organizations primarily in the United States, United Kingdom, Canada, India, and Australia.

Most-targeted sectors

Most-affected countries

Recent disclosures by BianLian

Most recent 150 of 668 indexed disclosures. Click any row for the full per-victim dossier.

See every disclosure indexed for BianLian

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

All groups

BianLian

aka Hydra · 668 victims indexed · first seen 4 years ago · last activity 1 year ago

668
Victims indexed
#15 of 364 tracked operators
2y 8m
Active period
Jul 2022 → Mar 2025
30
Countries hit
top United States · 315

At a glance

Status
inactive
Aliases
Hydra
First seen
4 years ago
Last activity
1 year ago
Onion sites
5 known endpoints
Primary sector
Healthcare · 98 hits

About

**Overview:** BianLian is a financially motivated ransomware group that emerged in July 2022, quickly establishing itself as a significant threat to organizations across multiple sectors. The group operates with a primary focus on extorting victims for financial gain through data encryption and exfiltration tactics. **Origin & Affiliation:** While the exact country of origin remains unconfirmed by public reporting, BianLian appears to operate as an independent ransomware group rather than following a traditional Ransomware-as-a-Service model. Security researchers have not established definitive links between BianLian and other known ransomware families or cybercriminal organizations. **Attack Methodology:** BianLian typically gains initial access through compromised Remote Desktop Protocol (RDP) credentials and exploits of public-facing applications, according to security researchers. The group employs double extortion tactics, stealing sensitive data before encrypting victim systems, and threatens to publish exfiltrated information on their leak site if ransom demands are not met. Their operations demonstrate sophisticated understanding of network environments and data exfiltration techniques. **Notable Campaigns:** Since its emergence, BianLian has successfully compromised over 670 organizations globally, with documented cases spanning critical infrastructure and major corporations across their primary target sectors. The group has been particularly active in targeting healthcare organizations, prompting attention from cybersecurity agencies due to the critical nature of these attacks. **Current Status:** As of recent threat intelligence reporting, BianLian remains an active ransomware threat, continuing to target organizations primarily in the United States, United Kingdom, Canada, India, and Australia.

References

17 links

External sources curated by the MISP threat-intel community.

Timeline

24 months
2023-04-01T00:00:00+00:00 · 562023-05-01T00:00:00+00:00 · 492023-06-01T00:00:00+00:00 · 272023-07-01T00:00:00+00:00 · 312023-08-01T00:00:00+00:00 · 142023-09-01T00:00:00+00:00 · 262023-10-01T00:00:00+00:00 · 252023-11-01T00:00:00+00:00 · 142023-12-01T00:00:00+00:00 · 152024-01-01T00:00:00+00:00 · 192024-02-01T00:00:00+00:00 · 342024-03-01T00:00:00+00:00 · 192024-04-01T00:00:00+00:00 · 162024-05-01T00:00:00+00:00 · 232024-06-01T00:00:00+00:00 · 122024-07-01T00:00:00+00:00 · 152024-08-01T00:00:00+00:00 · 272024-09-01T00:00:00+00:00 · 152024-10-01T00:00:00+00:00 · 102024-11-01T00:00:00+00:00 · 182024-12-01T00:00:00+00:00 · 172025-01-01T00:00:00+00:00 · 22025-02-01T00:00:00+00:00 · 262025-03-01T00:00:00+00:00 · 15
2023-04-01T00:00:00+00:002025-03-01T00:00:00+00:00

Top countries

🇺🇸 United States
315
🇬🇧 United Kingdom
30
🇮🇳 India
16
🇨🇦 Canada
16
🇩🇪 Germany
8
🇦🇺 Australia
7
🇮🇹 Italy
5
🇸🇪 Sweden
4

Top sectors

Healthcare
98
Business Services
66
Manufacturing
60
Technology
35
Construction
24
Education
22
Financial
21
Transportation/Logistics
15

MITRE ATT&CK

4 techniques · 3 tactics

Tactics

Initial AccessCredential AccessExfiltration

Techniques

  • T1133External Remote Services
  • T1078Valid Accounts
  • T1003OS Credential Dumping
  • T1567Exfiltration Over Web Service

Recent victims

Loading…

Onion infrastructure

5 known
  • http://bianlianlbc5an4kgnay3opdemgcryg2kpfcbgczopmm3dnbz3uaunad.onion
  • http://bianlianlbc5an4kgnay3opdemgcryg2kpfcbgczopmm3dnbz3uaunad.onion/companies/
  • http://bianliaoxoeriowgqohcly4a6sbkpc3se2yvxgidxomxlpuhx5ehrpad.onion
  • http://bianlivemqbawcco4cx4a672k2fip3guyxudzurfqvdszafam3ofqgqd.onion
  • http://bianlivemqbawcco4cx4a672k2fip3guyxudzurfqvdszafam3ofqgqd.onion/companies/

Source

Updated 1 year ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time BianLian posts a victim.

Add BianLian to your watchlist — Pro pings you within 5 minutes of any new BianLian leak-site post, Telegram callout, or affiliate-rebrand inference.