Scammers are impersonating BianLian ransomware, and mailing faux ransom letters to companies. Be taught the pink flags and the right way to shield in opposition to this extortion rip-off.
GuidePoint Safety’s Senior Menace Intelligence Analyst, Grayson North, has found a peculiar pattern within the company sector during which executives at varied organizations started receiving bodily letters delivered through the US Postal Service.
In March 2025, the GuidePoint Analysis and Intelligence Group (GRIT) obtained experiences of suspicious bodily letters from the BianLian ransomware group, claiming that the recipient’s company IT community had been compromised and delicate knowledge had been stolen. The letters had been delivered through mail from US addresses.
These senders demanded substantial ransom funds, starting from $250,000 to $350,000, to a Bitcoin pockets handle offered, with a menace of information leakage if cost was not obtained inside ten days. The letter arrived with the next textual content:
“We now not negotiate with victims: You might have 10 days from the receipt of this letter to pay. If we aren't paid on time, your knowledge shall be printed and we are going to proceed to gather knowledge out of your community and firm. It's as much as you to find out the price of your whole firm’s knowledge being leaked to the general public to abuse.”
The letters mimicked the format of conventional digital ransomware notes, together with QR codes for straightforward Bitcoin transfers and Tor hyperlinks to BianLian’s knowledge leak website on the Dark Web. Nevertheless, cybersecurity analysts at GuidePoint Safety shortly recognized quite a few inconsistencies that forged doubt on the legitimacy of those claims.
Comparable to, the letters’ language was notably completely different from BianLian’s previous ransom notes, displaying a degree of polished English that was uncharacteristic. Although the offered Tor hyperlinks did result in BianLian’s reliable knowledge leak websites, these hyperlinks are publicly recognized and simply accessible. Essentially the most obtrusive anomaly was the tactic of supply since ransomware teams sometimes talk digitally, and usually keep away from utilizing bodily mail mediums.
Furthermore, based on GRIT’s report, as a substitute of normal menace actors’ practices, the senders refused to barter. The Bitcoin pockets addresses had been newly generated and confirmed no earlier affiliation with any ransomware exercise. Crucially, investigations revealed no proof of community intrusions or knowledge breaches within the organizations that obtained these letters.
The analysis group, therefore, concluded that given the weird supply technique, the language inconsistencies, the shortage of intrusion proof, and the contemporary Bitcoin wallets all pointed to an try and impersonate BianLian for monetary achieve. The letters had been marked “TIME SENSITIVE READ IMMEDIATELY” and had a return handle in Boston.
These facets point out that the letters had been designed to create a way of urgency and worry, exploiting the status of a recognized ransomware group. GRIT recommends organizations ought to educate workers on dealing with such threats and guarantee community defences are updated and no lively alerts are current.
