Organizations have been urged not to fall for what appears to be a ransomware scam using physical letters.
GuidePoint Security claimed in a blog post yesterday that it had received reports of executives in multiple organizations being sent a suspicious letter purporting to come from the BianLian ransomware group.
In it, the sender claims to have compromised the recipient’s corporate network and stolen sensitive data.
“Mimicking the threats of a ‘true’ ransomware ransom note, the letters state that the stolen data will be leaked 10 days after receipt of the letter unless a substantial ransom is paid,” GuidePoint Security explained.
“The letter instructs the recipient to pay the ransom to an included Bitcoin wallet, which is made easier by including a QR code containing the wallet address. As a part of this specific campaign, we observed ransom demands ranging from $250,000 to $350,000 USD.”
Read more on BianLian: BianLian Ransomware Group Adopts New Tactics, Posing Significant Risk
Although the letters in question apparently contain Tor links to BianLian’s data leak site, the group responsible is almost certainly an imposter, GuidePoint claimed. That’s partly because of its near flawless mastery of English, and several other tell-tale signs, such as an unwillingness to negotiate on the ransom amount.
“Based on the unusual delivery mechanism, the language changes, the absence of intrusion activity, and the delivery of the letters from US post offices, we have high confidence that this wave of letters represents an attempt to deceive and scam executives and organizations into paying a ransom, sight unseen, to actors unaffiliated with the BianLian group,” GuidePoint said.
The vendor urged organizations to:
- Notify executives about the scam so they are not caught off guard, and ensure that reporting mechanisms are understood and documented
- Make sure employees know what to do if they receive a ransom threat, whether by mail or online
- Keep network defenses up to date and check that there are no active alerts regarding malicious activity
- Report the letter to local law enforcement and FBI Field Office
The incidents have echoes of a 2020 extortion campaign in which organizations received letters purporting to come from state-sponsored groups, threatening to launch DDoS attacks on the recipient unless a Bitcoin payment was made.