Executives Receive Fake Snail Mail BianLian Ransomware Notes

The FBI sent out a public service announcement on Thursday warning that scammers are sending corporate executives letters in the mail, which claim to come from a ransomware group and are an attempt to trick organizations into paying a ransom. 

The warning from the FBI comes on the heels of private sector industry reports from earlier this week outlining the same attack, including ones from GuidePoint Security and Arctic Wolf. Both companies in their analyses of the scam said that all organizations that had received the ransom letter had no activity that was indicative of a ransomware intrusion.

Key Details:

• The letters claim to come from BianLian, a ransomware developer and data extortion cybercriminal group, likely based in Russia, with multiple Russia-based affiliates

• However, the FBI said they have not yet identified any connections between the senders and this widely publicized ransomware group. Meanwhile, GuidePoint Security researchers said they “assess with a high level of confidence that the extortion demands contained within are illegitimate and do not originate from the BianLian ransomware group”

• The letters have a return address of “BianLian Group” originating from Boston, Massachusetts, are stamped “Time Sensitive Read Immediately” and claim that attackers have gained access to executives’ organizations and have stolen thousands of sensitive data files

• The attackers say victim data will be published to BianLian’s data leak sites if the letter recipients don’t use a QR code included in the letter (linked to a Bitcoin wallet) to pay between $250,000 and $500,000 within ten days

Why It Matters: Researchers with Arctic Wolf and GuidePoint Security said that this is likely an attempt to create fear and pressure organizations into paying a ransom for an intrusion that didn’t actually occur. 

“Most relevant of all, in the cases where we have seen the delivery of these letters, we have not observed known or suspected intrusion activity reflecting ransomware operations,” said researchers with GuidePoint Security. “Based on the unusual delivery mechanism, the language changes, the absence of intrusion activity, and the delivery of the letters from US post offices, we have high confidence that this wave of letters represents an attempt to deceive and scam executives and organizations into paying a ransom, sight unseen, to actors unaffiliated with the BianLian group.”

The Background: According to researchers with Arctic Wolf, the threat actors started to send the physical ransom letters to executives primarily in the healthcare industry on Feb. 25.

“Notably, when compared with historical BianLian communications and ransom notes, the physical ransom letters are drastically different in word usage and tone,” said researchers. “All letters reviewed by Arctic Wolf contained nearly identical verbiage and appeared to be templated with just a few minor changes between the letters.”

The Impact: The FBI said that organizations should notify their executives about this scam to raise awareness. 

“If you or your organization receive one of these letters, ensure your network defenses are up to date and that there are no active alerts regarding malicious activity,” according to the FBI.