Fake BianLian ransom notes mailed to US CEOs in postal mail scam

Scammers are impersonating the BianLian ransomware gang by sending fake ransom notes to CEOs of US companies via the United States Postal Service.

What happened

A new scam involving fake BianLian ransom notes has been reported, where scammers target CEOs of US companies by mailing fake ransom letters. The notes, which claim to be from the "BIANLIAN Group," demand a Bitcoin payment between $250,000 and $500,000. These letters, marked "Time Sensitive Read Immediately," contain fraudulent claims of stolen data tailored to each company’s industry. Healthcare companies received fake reports of stolen patient data, while other businesses were allegedly targeted for customer and employee information. The letters are designed to look convincing, including information from Tor data leak sites and even compromised passwords to add legitimacy.

The backstory

BianLian ransomware has gained notoriety in recent years, primarily for using double-extortion tactics, where data is stolen and encrypted, followed by ransom demands. Typically, these operations are conducted through digital means. However, this latest scam appears to be an evolution of previous email-based extortion attacks, shifting to mailed letters to target high-profile individuals in companies.

Going deeper

• The fake ransom notes are designed to scare CEOs and executives into paying, as there’s no sign of an actual breach.
• The notes vary based on the industry of the company, such as healthcare or product-based businesses.
• The scam includes a fresh Bitcoin address and a QR code for payment, adding a level of credibility.
• At least two letters contained compromised passwords, likely to reinforce the threat's legitimacy.

What was said

Grayson North, a researcher at GuidePoint Security, said: "We assess with a high level of confidence that the extortion demands contained within are illegitimate and do not originate from the BianLian ransomware group." Arctic Wolf also stated that these ransom notes are designed solely to instill fear, with no real threat of a breach.

The FBI has also issued an announcement to inform businesses about this scam. The FBI recommends organizations educate their executives and employees about such threats, ensure network defenses are up-to-date, and report any incidents to the local FBI Field Office or the Internet Crime Complaint Center (IC3).

In the know

Ransomware attacks like those from BianLian have been on the rise in recent years, evolving from digital to physical mail scams. This shift to postal mail could mark the beginning of a new trend in how cybercriminals target high-level executives. Awareness of these scams is crucial for CEOs and organizations to prevent unnecessary panic and resource wastage.

Why it matters

This scam shows the increasing creativity and persistence of cybercriminals in targeting executives. Understanding how to differentiate between legitimate threats and scams is vital for businesses to protect themselves from being extorted or distracted by these fraudulent tactics. It also shows how cybersecurity efforts must extend beyond just email-based threats to include physical mail.

The bottom line

These fake ransom notes are a reminder of how scammers are evolving their methods. Organizations must educate executives and IT staff about these types of scams to avoid unnecessary panic and secure against real threats.

FAQs

What should be done if a suspicious ransom letter is received?

Notify corporate executives, ensure network defenses are up-to-date, and report the incident to the local FBI Field Office or IC3.

How can the legitimacy of a ransom note be determined?

Look for signs such as the lack of genuine threats, mismatched return addresses, and no actual evidence of a data breach or hacking activity.

What is BianLian ransomware, and how does it operate?

BianLian ransomware is a cybercrime operation that extorts money from victims by threatening to leak stolen data unless a ransom is paid.

Are there any common signs that a business has been targeted by BianLian or similar ransomware groups?

Look for unusual activity on networks, unexpected ransom demands, or suspicious communication from actors claiming to be from a ransomware group.