Introduction
A recent scam campaign has emerged, targeting company executives and healthcare institutions with fraudulent ransom notes that impersonate the BianLian ransomware group [1]. These letters [1] [2] [3] [4] [5] [6] [7], sent via traditional mail [1], falsely claim to have compromised corporate networks and demand substantial ransoms.
Description
Organizations have been alerted to a new scam campaign targeting company executives and healthcare institutions with fraudulent ransom notes that impersonate the BianLian ransomware group. These physical letters [1] [3] [4] [5], mailed from a postal facility in Boston, Massachusetts [1] [2], in late February 2025, falsely assert that the sender has compromised corporate networks and stolen sensitive data [7], including customer and employee information [6], financial documents [6], legal records [6], and patient health information [3]. Marked as “Time Sensitive Read Immediately,” the letters demand a ransom ranging from $250,000 to $500,000 USD, with healthcare companies typically facing demands of around $350,000 [2]. The correspondence threatens to leak the stolen information within 10 days unless payment is made, directing recipients to a newly generated Bitcoin wallet, accompanied by a QR code for convenience. Additionally, the letters include links to Tor data leak sites purportedly associated with BianLian.
First reported in early March 2025 [1], these extortion attempts have been confirmed by security experts at GuidePoint and Arctic Wolf as illegitimate and not linked to any actual network breaches. The letters deviate from typical ransomware tactics, as they were sent via traditional mail rather than the usual email or encrypted messaging platforms favored by cybercriminals [1]. Furthermore, the writing style is notably polished, featuring nearly perfect English and complex sentence structures [1], which is atypical for BianLian communications. The letters also lack essential contact details and make unusual claims, such as stating that the group “no longer negotiates,” contradicting established ransomware practices.
While the letters featured Boston postmarks and were identical across multiple recipients, indicating a lack of authenticity [5], they have been assessed as scams aimed at deceiving executives and organizations into paying ransoms to individuals not affiliated with the BianLian group [4]. Experts [1] [2] [3] [5], including John Riggi from the AHA [3], have indicated that it is unusual for a foreign ransomware group to use physical letters for extortion [3], further supporting the notion that these attempts are likely hoaxes. GuidePoint’s investigation revealed that the Bitcoin wallet addresses used in this scam were newly generated and had no connections to known ransomware groups [1].
This campaign exemplifies how cybercriminals exploit urgency and fear to prompt quick payments without verification [1]. Organizations are advised to remain vigilant [1], preserve any received letters for potential forensic examination [3], and thoroughly investigate such claims before taking any action [1]. It is crucial to assess whether any claimed data could have been stolen in prior breaches or sourced from third parties [5], as paying the ransom does not guarantee the deletion of stolen data or the cessation of blackmail [1]. Furthermore, organizations should develop processes to handle ransom threats [5], report incidents internally [5], and coordinate with law enforcement [5]. Cybersecurity experts emphasize the importance of investigating any claims made in ransom letters [5], even if they appear to be fake [5], to rule out the possibility of a genuine data breach [5]. Further information on this issue is expected from the FBI [3].
Conclusion
The emergence of this scam campaign highlights the evolving tactics of cybercriminals, who are now resorting to traditional mail to instill fear and urgency. Organizations must remain vigilant, ensuring that they have robust processes in place to handle such threats. It is essential to collaborate with law enforcement and cybersecurity experts to mitigate risks and prevent financial losses. As the situation develops, further insights from the FBI and other authorities will be crucial in understanding and countering these fraudulent activities.
References
[1] https://cyberinsider.com/fake-bianlian-ransom-notes-delivered-to-executives-via-post-mail/
[2] https://cybermaterial.com/fake-bianlian-ransom-notes-target-us-ceos/
[3] https://www.aha.org/news/headline/2025-03-05-hospitals-and-health-systems-receive-fake-data-extortion-letters
[4] https://www.forbes.com/sites/daveywinder/2025/03/05/250000-snail-mail-ransomware-threat-warning-what-you-need-to-know/
[5] https://www.csoonline.com/article/3839190/ransomware-goes-postal-us-healthcare-firms-receive-fake-extortion-letters.html
[6] https://www.techradar.com/pro/security/ransomware-criminals-are-now-sending-their-demands-by-snail-mail
[7] https://www.infosecurity-magazine.com/news/extortionists-bianlian-ransom/
