Scammers are impersonating BianLian ransomware, and mailing fake ransom letters to businesses. Learn the red flags and how to protect against this extortion scam.
GuidePoint Security’s Senior Threat Intelligence Analyst, Grayson North, has discovered a peculiar trend in the corporate sector in which executives at various organizations began receiving physical letters delivered via the US Postal Service.
In March 2025, the GuidePoint Research and Intelligence Team (GRIT) received reports of suspicious physical letters from the BianLian ransomware group, claiming that the recipient’s corporate IT network had been compromised and sensitive data had been stolen. The letters were delivered via mail from US addresses.
These senders demanded substantial ransom payments, ranging from $250,000 to $350,000, to a Bitcoin wallet address provided, with a threat of data leakage if payment was not received within ten days. The letter arrived with the following text:
“We no longer negotiate with victims: You have 10 days from the receipt of this letter to pay. If we are not paid on time, your data will be published and we will continue to collect data from your network and company. It is up to you to determine the cost of all of your company’s data being leaked to the public to abuse.”
The letters mimicked the format of traditional digital ransomware notes, including QR codes for easy Bitcoin transfers and Tor links to BianLian’s data leak site on the Dark Web. However, cybersecurity analysts at GuidePoint Security quickly identified numerous inconsistencies that cast doubt on the legitimacy of these claims.
Such as, the letters’ language was notably different from BianLian’s past ransom notes, displaying a level of polished English that was uncharacteristic. Though the provided Tor links did lead to BianLian’s legitimate data leak sites, these links are publicly known and easily accessible. The most glaring anomaly was the method of delivery since ransomware groups typically communicate digitally, and generally avoid using physical mail mediums.
Moreover, according to GRIT’s report, instead of standard threat actors’ practices, the senders refused to negotiate. The Bitcoin wallet addresses were newly generated and showed no previous association with any ransomware activity. Crucially, investigations revealed no evidence of network intrusions or data breaches in the organizations that received these letters.
The research team, hence, concluded that given the unusual delivery method, the language inconsistencies, the lack of intrusion evidence, and the fresh Bitcoin wallets all pointed to an attempt to impersonate BianLian for financial gain. The letters were marked “TIME SENSITIVE READ IMMEDIATELY” and had a return address in Boston.
These aspects indicate that the letters were designed to create a sense of urgency and fear, exploiting the reputation of a known ransomware group. GRIT recommends organizations should educate employees on handling such threats and ensure network defences are up to date and no active alerts are present.
RELATED TOPICS
- Fake CrowdStrike Recruiters Distribute Malware
- Journalist Targeted in USB Drive Bombing Attack
- Hackers Call Employees to Steal VPN Data from US Firms
- Volcano Demon Ransomware Makes Phones Victim of Ransom
- Fake IT Calls Scam MS Teams Users into Installing Ransomware