The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

BianLian Ransomware

Sep 26, 2022 4:05:33 PM / by PolySwarm Tech Team

Verticals Targeted:
Professional Services, Media and Entertainment, Manufacturing, Healthcare, Energy and Utilities, Education, Financial

Executive Summary

Cyble recently reported on BianLian, a new ransomware variant written in Go. It has been used to target multiple verticals.

Key Takeaways

  • BianLian is a ransomware family written in Go.
  • BianLian uses multiple techniques to thwart detection and reverse engineering. 
  • BianLian threat actors use a double extortion tactic, threatening to leak victim data if the ransom is not paid.
What is BianLian?

BianLian ransomware, written in Go, was first discovered in July 2022. It has been used to target multiple verticals, including professional services, media and entertainment, manufacturing, healthcare, energy and utilities, education, and financial.

When BianLian is executed, it checks whether it is running in a WINE environment. It then uses the CreateThread() API function to create multiple threads, complicating attempts at reverse engineering. BianLian then uses the GetDriveTypeW() API to find system drives A:\ to Z:\ and encrypts files on the discovered drives. The following files, extensions, and folders are not encrypted: .exe, .dll, .sys, .txt, .lnk, .html, bootmgr, BOOTNXT, pagefile.sys, thumbs.db, ntuser.dat, swapfile.sys, Windows, and Windows.old.

BianLian uses the crypto/cipher, crypto/aes, and crypto/rsa GoLang packages for encryption. During the encryption process, the ransomware divides files into 10 byte chunks. Using data chunking in the encryption process helps thwart detection by antivirus. Encrypted files are appended with the  .bianlian extension.

BianLian drops a ransom note named Look at this instruction.txt in folders containing encrypted files. The ransom note instructs victims on how to contact the threat actors. The threat actors use a double extortion technique, threatening to leak stolen files if the ransom is not paid within ten days.  Following the encryption process, BianLian deletes itself from the system.


PolySwarm has multiple samples of BianLian.
















You can use the following CLI command to search for all BianLian samples in our portal:

$ polyswarm link list -f BianLian

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at | Check out our blog | Subscribe to our reports

Topics: Threat Bulletin, Ransomware, BianLian

PolySwarm Tech Team

Written by PolySwarm Tech Team

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts