In a novel approach to cyber extortion, a series of suspicious letters claiming to be from the BianLian ransomware group have been sent to executives of various U.S. organizations.
These letters, which are believed to be part of a scam, assert that the recipients’ corporate networks have been compromised and sensitive data stolen.
The scammers demand substantial ransoms, ranging from $250,000 to $350,000, to be paid in Bitcoin within a ten-day period.
The letters include a QR code for easy payment and threaten to leak the stolen data if the demands are not met.
Indicators of Illegitimacy
Several factors suggest that these letters are not genuine ransom demands from the BianLian group.
Notably, ransomware groups typically communicate their threats digitally, not through postal mail.
The language used in the letters is also inconsistent with previous communications from BianLian, featuring nearly perfect English and complex sentence structures.
Furthermore, the Tor links provided point to BianLian’s known data leak sites, which are widely tracked by cybersecurity outlets and do not serve as proof of legitimacy.
The Bitcoin wallets included are freshly generated and have no ties to any known ransomware groups, further obscuring the true identity of the senders.
In cases where these letters have been received, no corresponding network intrusion activity has been detected, reinforcing the suspicion that these are scams rather than legitimate ransom demands.
According to GuidePoint Security Report, the letters are carefully crafted to mimic real ransom notes but lack the usual negotiation channels typically offered by threat groups.
Instead, they state that no negotiations will be entertained, which is unusual for ransomware groups that often engage in discussions with their victims.
Recommendations for Response
Organizations receiving these letters are advised to notify their executive teams and educate employees on how to handle such threats.
It is crucial to ensure that network defenses are up to date and to check for any signs of malicious activity.
Despite the low likelihood of actual network compromise, it is prudent to be vigilant.
Recipients are encouraged to report incidents to local law enforcement and the Internet Crime Complaint Center (IC3).
If a network compromise is suspected, contacting an incident response team for assistance is recommended.
