BianLian strikes again

Ransomware group, BianLian, have claimed that they struck non-profit organization, “Save the Children”, stealing up to 7tb of data.


Data stolen included PII

PII, or Personally Identifiable Information, is claimed to be a part of the almost 7tb of data stolen, including financial, HR and medical data, among others.


No word from STC

While BianLian claimed the attack on their website, there has been no confirmed attack by “Save the Children” – yet.  Typically it can takes days, or weeks, before a report is released – it all depends on who and what is affected.  In the case of Cisco, they released a report immediately to help affected customers while organizations like “Save the Children” take their time, investigate the claims and, if they’re substantiated, begin the process of contacting affected individuals and organizations before publishing a press release.

news > Cyber-Attacks > Ransomware
By Kevin Wood

Organization, “Save The Children” hit by ransomware, 7TB of data stolen



Hackers don’t care who they affect, they only want one thing – money

Based on the attacks over the last few years, it probably comes as no surprise to many that hackers would stoop as low as going after an organization designed to help those in need.  They don’t seem to care who they affect, they’re really only after one thing – money.  They know, if they hit the right organization, the potential payout is big.

The organization, “Save the Children”, is the latest victim of the ransomware group BianLian, who claimed they were able to infiltrate the organization’s IT systems and steal a lot of data.  On their website, BianLian bragged about a hit on an organization that lead analysts to “Save the Children”.

For those unfamiliar with BianLian, they are a group of ransomware developers who create ransomware tools to be used to gain access to a company network.  They have targeted organizations in the United States and Australia.  You can read the full report on the CISA website here.

They began operations around June 2022, when they first made a name for themselves by going after healthcare organizations as well as other critical infrastructure.  

The group claims to have stolen up to 7TB of data which they claim includes financial records, HR data and personal data.  In addition, they stated they also had email messages, medical data and other health information.

The general consensus among analysts is that BianLian plans to use this data to extort money out of “Save the Children”.  This would be par for the course for them based on previous attacks. 

When they first started out, they were very much the type to steal data, encrypt the data on the company network, and then threaten to release the data publicly unless they paid the “ransom”. 

Recently, they’ve gone away from encrypting the data – perhaps because they know that companies are better protecting themselves with backups – and instead steal the data, disconnect and threaten to leak the data unless the company pays the “ransom”.

At the time this article was written, “Save the Children” has not verified the claims nor have they published any news releases or other information on their website.  We will continue to investigate the issue and publish any news releases from “Save the Children”.  Based on previous attacks and claims by BianLian, this will most likely make headline news in a few days to a few weeks after “Save the Children” has completed an internal investigation of these claims.

Ransomware groups are starting to care less about encrypting your data, knowing darn well you can probably just restore it.  Instead, they threaten to release sensitive information unless they’re paid.  BianLian is no different and in fact has changed their strategy recently, focusing on theft and extortion.



  • BianLian first emerged in June 2022
  • Known for using the “Go” programming language to infiltrate organizations via valid Remote Desktop Protocol (RDP) sessions
  • Originally stole data, encrypted data and then extorted the company
  • Recently they’ve stopped encrypting data and instead steal it and extort the company for money otherwise they’ll release the sensitive information to the public