Scammers are impersonating BianLian ransomware, and mailing faux ransom letters to companies. Study the pink flags and defend towards this extortion rip-off.
GuidePoint Safety’s Senior Menace Intelligence Analyst, Grayson North, has found a peculiar pattern within the company sector through which executives at varied organizations started receiving bodily letters delivered through the US Postal Service.
In March 2025, the GuidePoint Analysis and Intelligence Crew (GRIT) obtained reviews of suspicious bodily letters from the BianLian ransomware group, claiming that the recipient’s company IT community had been compromised and delicate information had been stolen. The letters have been delivered through mail from US addresses.
These senders demanded substantial ransom funds, starting from $250,000 to $350,000, to a Bitcoin pockets handle offered, with a risk of knowledge leakage if fee was not obtained inside ten days. The letter arrived with the next textual content:
“We not negotiate with victims: You have got 10 days from the receipt of this letter to pay. If we're not paid on time, your information might be revealed and we'll proceed to gather information out of your community and firm. It's as much as you to find out the price of your entire firm’s information being leaked to the general public to abuse.”
The letters mimicked the format of conventional digital ransomware notes, together with QR codes for simple Bitcoin transfers and Tor hyperlinks to BianLian’s information leak website on the Darkish Internet. Nevertheless, cybersecurity analysts at GuidePoint Safety rapidly recognized quite a few inconsistencies that forged doubt on the legitimacy of those claims.
Corresponding to, the letters’ language was notably completely different from BianLian’s previous ransom notes, displaying a degree of polished English that was uncharacteristic. Although the offered Tor hyperlinks did result in BianLian’s official information leak websites, these hyperlinks are publicly recognized and simply accessible. Probably the most obtrusive anomaly was the strategy of supply since ransomware teams usually talk digitally, and usually keep away from utilizing bodily mail mediums.
Furthermore, in accordance with GRIT’s report, as an alternative of ordinary risk actors’ practices, the senders refused to barter. The Bitcoin pockets addresses have been newly generated and confirmed no earlier affiliation with any ransomware exercise. Crucially, investigations revealed no proof of community intrusions or information breaches within the organizations that obtained these letters.
The analysis group, therefore, concluded that given the weird supply methodology, the language inconsistencies, the shortage of intrusion proof, and the recent Bitcoin wallets all pointed to an try and impersonate BianLian for monetary achieve. The letters have been marked “TIME SENSITIVE READ IMMEDIATELY” and had a return handle in Boston.
These facets point out that the letters have been designed to create a way of urgency and concern, exploiting the popularity of a recognized ransomware group. GRIT recommends organizations ought to educate workers on dealing with such threats and guarantee community defences are updated and no lively alerts are current.
RELATED TOPICS
