Scammers are sending extortion letters to corporate executives, threatening to release sensitive information unless a ransom is paid, according to a new FBI warning published this week.

The FBI’s Internet Crime Complaint Center (IC3) released the warning on Thursday, explaining that these criminals appear to be masquerading as the “BianLian Group,” which is known for its ransomware attacks.

“Stamped ‘Time Sensitive Read Immediately,’ the letter claims the ‘BianLian Group’ gained access into the organization’s network and stole thousands of sensitive data files,” the IC3 wrote. “The letter then goes on to threaten that the victim’s data will be published to BianLian’s data leak sites if recipients do not use an included QR code linked to a Bitcoin wallet to pay between $250,000 and $500,000 within 10 days from receipt of the letter, claiming the group will not negotiate further with victims.”

The FBI assessed that the letters are attempts to scam organizations into paying a ransom. The return address on the letters originates in Boston, Massachusetts, and the Bureau said it has not identified connections between the senders and the BianLian ransomware group.

Grayson North, senior threat intelligence consultant for GuidePoint’s Research and Intelligence Team, wrote in a post for the company’s GRIT Blog on 4 March that they had received several reports of these physical letters and had assessed with a “high level of confidence” that the demands were not legitimate and not associated with the BianLian ransomware group.

“Most notably, communication of a ransom demand via the postal service is not something we have previously observed from any legitimate ransomware group—as communicating the compromise digitally has long been the standard means of claiming and verifying network compromise,” according to the blog. “In addition, the wording and content of this message are inconsistent with ransom notes that we have observed from BianLian in the past, containing nearly perfect use of English and featuring longer, more complex sentence structures.”

Malwarebytes Labs noted that researchers who reviewed the letters found that they were customized for their recipients, such as leveraging patient data for healthcare executives.

“These personalized letters convincingly threaten network compromise, password abuse, employe exploitation, and data theft, which can be difficult to verify for any lean organization,” according to Malwarebytes.

What Should Security Do?

The IC3 warning included suggested precautions that security practitioners should take to protect their organizations from the scam:

• Notify corporate executives and the organization of the scam for awareness.
  
  
• Ensure employees are educated on what to do if they receive a ransom threat.
  
  
• If you or your organization receive one of these letters, ensure your network defenses are up-to-date and that there are no active alerts regarding malicious activity.
  
  
• If you discover you are a victim of BianLian ransomware, visit the Joint Cybersecurity Awareness Bulletin for recent tactics, techniques, procedures, and indicators of compromise.
  
  
• Consider reporting the incident to your local FBI Field Office or the IC3.

While it may be perceived as an old-school tactic, criminals continue to use the postal system to carry out their activity—a violation of the Mail Fraud Statute that was passed in 1872. The U.S. Postal Inspection Service is now the lead agency that investigates and pursues mail fraudsters. In its 2023 annual report, the service reported 4,728 arrests and 4,103 convictions related to postal crimes. For mail fraud in 2023, the service said that it initiated 340 cases, 458 arrests, and 454 convictions.

What is BianLian?

The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has assessed that the BianLian group is likely based in Russia and has multiple Russia-based affiliates. The group has affected organizations in the U.S. critical infrastructure sectors since June 2022, as well as targeted Australian critical infrastructure, professional services, and property development.

“The group gains access to victim systems through valid Remote Desktop Protocol (RDP) credentials, uses open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrates victim data via File Transfer Protocol, Rclone, or Mega,” CISA said. “BianLian then extorts money by threatening to release data if payment is not made.”

The group originally used a double-extortion model, where it encrypted victims’ systems after exfiltrating the data. But in January 2023, it shifted to an exfiltration-based extortion model.

In 2023, the most recent year that data is available for, the IC3 tracked 2,825 complaints of ransomware with associated losses of more than $59.6 million. Of those complaints, 1,193 were made by the critical infrastructure sector, with healthcare and public health reporting the most (249), followed by critical manufacturing (218), and government facilities (156).

For more on fraud trends and scams, read our February Security Technology issue: Facing the Fraudsters.

 

MOST POPULAR ARTICLES

1. Violence for the Sake of Violence: Understanding Nonideological Extremism

2. Protests Target Tesla Showing How Brands Can Be Focus of Political Ire

3. Five Years Later: Security in a Post-COVID World