The FBI and threat researchers are warning executives to be on the lookout for physical letters in the mail threatening to leak sensitive corporate data.
The letters, which are stamped “time sensitive read immediately” and shipped directly to executives through the Postal Service, are part of a nationwide scam designed to extort victims into paying $250,000 to $500,000, the FBI said Thursday.
The unidentified criminal or threat group behind the mail scam is masquerading as BianLian, a prolific ransomware and data extortion group that has attacked multiple U.S. critical infrastructure sectors since June 2022.
Cyber authorities and researchers have not confirmed BianLian’s involvement and believe the letters are an attempt to scam organizations into paying a ransom.
“Several inconsistencies — such as the lack of a contact method for negotiation, absence of proof of data exfiltration and differences in writing style — suggest this is a fraudulent campaign meant to exploit fear for financial gain,” said Richard Emerson, manager of reactive threat intelligence at Palo Alto Networks’ Unit 42.
Executives have received letters at their personal and business addresses including a QR code linked to a Bitcoin wallet demanding payment within 10 days. The U.S.-based return address originates from an office building in Boston.
Arctic Wolf CISO Adam Marré, a former special agent with the FBI, said he’s aware of at least 20 extortion letters linked to this scam, but said other organizations have reported receiving the letters as well. Those observations combined with the FBI’s public service announcement indicates this activity is likely widespread, Marré said.
Health care executives are the most heavily targeted recipients of these letters, with each receiving extortion demands of $350,000 according to Arctic Wolf.
BianLian previously pressured victims into paying a ransom via phone calls, but the use of physical mail for extortion is unique for the threat group and ransomware activity at large.
“A tactic like this is pretty inefficient, having an individual mail letters to organizations one by one,” Marré said. “It also presents a unique challenge — there isn’t any contact information for payment issues or correspondence.”
The analog attributes of this scam can have a chilling effect on those targeted, especially for executives who received the threatening letters at their home.
“Receiving a physical letter with a ransom demand can feel more personal and alarming than a digital threat,” Emerson said. “Unlike emails, which can be filtered or ignored, a letter delivered through the postal service creates a sense of direct targeting, potentially increasing the psychological pressure on recipients.”
“Physical mail adds a different layer of intimidation,” he continued. “It implies that the sender has access to personal or company-related details, which could make the recipient feel more vulnerable. Additionally, physical letters can bypass cybersecurity defenses, making them harder to detect and prevent compared to email-based extortion attempts.”
