In a ransomware first, threat actors claiming to be from the BianLian ransomware gang have been found using the regular US postal service to try and extort money from corporate executives, the FBI warned on Thursday.
According to a new warning released by the FBI’s Internet Crime Complaint Center (IC3) and CISA, the purported ransomware gang members have been using snail mail (regular mail) to send threatening blackmail letters to targeted victims in hopes of a payout.
Designed to grab the victim’s attention, the envelopes are stamped with the words “Time Sensitive Read Immediately,” and show a US-based return address of the “BianLian Group,” originating from Boston, Massachusetts.
Once opened, the threat actors, masquerading as the Russian-linked “BianLian Group,” write that the ransomware group has infiltrated the victim’s corporate network and stolen thousands of files of sensitive data.
The threat actors threaten to publish the sensitive data on the BianLian dark leak site if the victim does not fork over a ransom demand of between $250,000 and $500,000.
The victim is further given a 10-day deadline to pay up, along with a QR code linked to a Bitcoin wallet to transfer the funds into.
The criminal authors also state they “will not negotiate further with victims.”
The FBI has not revealed the names of the corporate executives targeted in the scam, if anyone paid, or if the letters were handwritten or printed.
The FBI further states it has not “yet identified any connections between the senders and the widely-publicized BianLian ransomware and data extortion group.”
How to protect against the BianLian mail scam
The FBI is recommending several steps the public can take to help protect against these types of extortion scams, or if you happen to receive one of the ransomware letters.
- Notify your company and other executives who work there about the scam.
- Educate employees on what to do if they receive a ransom threat.
- Ensure your network defenses are up to date and that there are no active alerts regarding malicious activity.
The FBI notes that for further information about the BianLian’s recent tactics, techniques, and procedures, and indicators of compromise, to visit the latest advisory alert on the ransomware group.
Who is BianLian?
The BianLian ransomware group first appeared on the cybercriminal circuit in June 2022, developing and deploying its own ransomware variant to target mainly critical infrastructure sectors in the US and Australia, according to the November 2024 FBI and CIA joint bulletin.
Cybernews’ Ransomlooker tool shows in the past 12 months, BianLian has carried out roughly 140 attacks, with its most recent victim claimed as Nippon Steel, the world’s fourth-largest crude steel producer just last month.
Attacks on other high-profile victims, include the US Better Business Bureau (BBB), Air Canada, Tennessee State University, Affiliated Dermatologists, and Ashley Furniture.
The gang is also said to have evolved from stealing data and then encrypting its victims’ systems – known as double extortion – to a mainly data exfiltration-based extortion model.
The threat actors, believed to be of Russian origin, typically gain access to victims through the use of valid Remote Desktop Protocol (RDP) credentials, using open-source tools and command-line scripting for discovery and credential harvesting, the warning bulletin stated.
Once a system is breached by BianLian, the attackers are known to “create custom back doors for each victim and install remote management and access software for persistence and command and control,” the advisory said.
Your email address will not be published. Required fields are markedmarked