Multiple US organizations reported receiving suspicious physical letters claiming to be from the BianLian ransomware group.
These letters have been delivered via regular mail to executive team members, falsely asserting that the recipient’s corporate IT network has been compromised and sensitive data stolen.
This unusual campaign represents a significant departure from typical ransomware tactics, which rely almost exclusively on digital communications.
The fraudulent letters claim that corporate data has been exfiltrated over several weeks, including customer information, employee records with Social Security numbers, financial documents, and other sensitive materials.
Recipients are threatened that this data will be leaked within 10 days of receiving the letter unless a substantial ransom is paid in Bitcoin.
The letters include both Bitcoin wallet addresses and corresponding QR codes to facilitate payment, with ransom demands ranging from $250,000 to $350,000 USD.
These physical letters are delivered in envelopes marked “TIME SENSITIVE READ IMMEDIATELY” and bear a return address claiming to be from “BIANLIAN GROUP” in Boston, Massachusetts.
The letters include Tor links to actual BianLian data leak sites as a means of establishing credibility, yet security researchers note that these addresses are publicly known and not indicative of a genuine connection to the ransomware group.
Security analysts at GuidePoint have determined with high confidence that these extortion demands are illegitimate and do not originate from the actual BianLian ransomware group.
Most tellingly, no organizations receiving these letters have shown evidence of actual network intrusions or data theft that would correspond with typical ransomware operations.
Identifying Fraudulent Communications and Response Recommendations
Several key indicators betray the illegitimate nature of these ransom demands.
The use of physical mail for ransom communications has not been observed in legitimate ransomware campaigns, where digital proof of compromise is the standard.
The writing style in these letters differs markedly from authentic BianLian communications, featuring nearly perfect English and more complex sentence structures.
Additionally, the absence of a communication channel for negotiation—the letters explicitly state “we no longer negotiate”—deviates from standard ransomware protocols while conveniently eliminating the need for the scammers to demonstrate any actual data theft.
The Bitcoin wallet addresses included in these letters appear to be freshly generated with no connections to known ransomware operations.
While separate wallet creation is standard practice for legitimate ransomware groups, in this context it serves to obscure the scammers’ identities.
Organizations receiving such letters are advised to first verify their network security posture through internal checks rather than responding to the demands.
GuidePoint Security recommends notifying executive team members about this threat campaign to prevent panic if targeted, ensuring employees understand proper reporting procedures, and confirming that network defenses remain up-to-date.
Recipients should report these incidents to local law enforcement and the FBI’s Internet Crime Complaint Center (IC3).
While these letters appear to be scams, their distribution could potentially indicate knowledge of historical data leaks or compromises that organizations should investigate.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
