X-Industry

Snail Mail being used for Ransom Demands

Posted by Jim McKee on March 6, 2025 at 8:00am

13508174472?profile=RESIZE_400xScammers are impersonating the BianLian ransomware gang in fake ransom notes sent to US companies via snail mail through the United States Postal Service. Guidepoint Security first reported the phony ransom notes today, and BleepingComputer later received a scan of the note from a CEO who received the same letter. The envelopes for these ransom notes claim to be from the "BIANLIAN Group" and have a return address in an office building in Boston, Massachusetts.
The letter shared with BleepingComputer shows it was mailed on 25 February 2025. This mailing date is the same as the one seen by Arctic Wolf, who also reported on the scam today. The letters are being mailed to the CEOs of the companies at their corporate mailing addresses. They were processed through a postal facility in Boston, and the envelope is marked "Time Sensitive Read Immediately."

13508174292?profile=RESIZE_584xEnvelope for fake BianLian ransom note
Source: BleepingComputer
The envelopes contain a ransom note addressed to the company's CEO or another executive, claiming to be from the BianLian ransomware operation. According to notes reviewed by BleepingComputer, they are tailored to the company's industry, with different types of allegedly stolen data corresponding to the company's activities. For example, fake BianLian ransom notes sent to healthcare companies claim that patient and employee information was stolen. At the same time, those targeting product-based businesses allege the exposure of customer orders and employee data. "I regret to inform you that we have gained access to [REDACTED] systems and, over the past several weeks, have exported thousands of data files, including customer order and contact information, employee information with IDs, SSNs, payroll reports, and other sensitive HR documents, company financial documents, legal documents, investor and shareholder information, invoices, and tax documents," reads a fake BianLian ransom note.
See: https://redskyalliance.org/xindustry/bianlian

13508174883?profile=RESIZE_584xFake BianLian ransom note sent via snail mail
Source: GuidePoint Security

The mailed ransom notes are very different from BianLian's, but the scammers attempt to make them look convincing by including the real Tor data leak sites for the ransomware operation in the notes. Unlike typical ransomware demands, these fake notes state that BianLian is no longer negotiating with victims. Instead, the victim has 10 days to make a Bitcoin payment to prevent data from being leaked.
Each ransom note includes a ransom demand ranging between $250,000 and $500,000, a freshly generated Bitcoin address to send payment, and a QR code for the Bitcoin address.

Arctic Wolf said that all healthcare organizations had their ransom demand set to $350,000, the same as the one shared by a healthcare company with BleepingComputer, as shown below.
13508174898?profile=RESIZE_710xPayment information in fake BianLian ransom note
Source: BleepingComputer
Arctic Wolf states that two ransom notes the researchers saw included legitimate compromised passwords to add legitimacy to the demand. In at least two letters, the threat actor included a compromised password. How did this happen? Section, almost certainly to add legitimacy to their claim."
The report's consensus is that these ransom notes are fake and designed only to scare executives into paying a ransom, as there are no signs of an actual breach. "While GRIT cannot confirm the identity of the letter's authors at this time, we assess with a high level of confidence that the extortion demands contained within are illegitimate and do not originate from the BianLian ransomware group," explains GuidePoint Security researcher Grayson North.
This does not mean the emails should be ignored. Due to the widespread mailing of these notes, all IT and security admins should notify executives about the scam so that they are aware and do not waste time and resources worrying about them.
These fake ransom notes are an evolution of the email extortion scams that have become so popular since 2018. However, they are now targeting corporate CEOs instead of personal emails.

BleepingComputer contacted the BianLian ransomware operation to determine whether it was involved in these mailings, but a reply was not immediately available.

This article is shared at no charge and is for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com

• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941

Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122

 

© 2025 Red Sky Alliance Corporation. All rights reserved.

Views: 11
Tags: tr-25-064-002, scammers, bianlian, ransomware gang, arctic wolf
E-mail me when people leave their comments –
Follow

You need to be a member of Red Sky Alliance to add comments!