Fake BianLian Ransom Notes Mailed to US CEOs in Postal Mail Scam
Summary:
GuidePoint has uncovered a new campaign in which threat actors are sending physical ransom notes to senior executives at US organizations via the United States Postal Service. These notes, purportedly from the BianLian ransomware group, claim that the recipient’s corporate IT network has been compromised and that sensitive data has been stolen. The ransom notes are tailored to the recipient's industry: for example, those sent to healthcare companies allege that patient and employee information has been breached, while notes targeting product-based businesses claim that customer and employee data has been exposed. The letters threaten to leak the stolen data within 10 days unless a ransom is paid. Guidepoint has observed ransom demands ranging from $250,000 to $350,000 USD, with recipients instructed to scan a QR code that contains a Bitcoin wallet address for payment. The security firm assesses with high confidence that the extortion demands are illegitimate and do not originate from the BianLian ransomware group. Although the ransom notes include Tor links to BianLian’s data leak site, the language and content differ significantly from previous ransom notes attributed to the group. Notably, these notes feature nearly perfect English and employ longer, more complex sentence structures, further suggesting they are not from BianLian.
Security Officer Comments:
The latest activity has yet to be attributed to a known threat cluster. The letters observed thus far contain a return address from an office building in Boston, Massachusetts, and are marked as "Time Sensitive, Read Immediately." This adds a sense of urgency and legitimacy, pressuring recipients to open the letter and quickly comply with the demands of the threat actors.
Overall, the use of physical ransom notes represents a novel and evolving tactic by threat actors, underscoring their adaptability in finding new ways to extort funds from victims. By shifting from traditional digital methods to physical mail, these actors are broadening their approach to reach potential targets.
Suggested Corrections:
Recommendations from GuidePoint:
https://www.bleepingcomputer.com/ne...-notes-mailed-to-us-ceos-in-postal-mail-scam/
GuidePoint has uncovered a new campaign in which threat actors are sending physical ransom notes to senior executives at US organizations via the United States Postal Service. These notes, purportedly from the BianLian ransomware group, claim that the recipient’s corporate IT network has been compromised and that sensitive data has been stolen. The ransom notes are tailored to the recipient's industry: for example, those sent to healthcare companies allege that patient and employee information has been breached, while notes targeting product-based businesses claim that customer and employee data has been exposed. The letters threaten to leak the stolen data within 10 days unless a ransom is paid. Guidepoint has observed ransom demands ranging from $250,000 to $350,000 USD, with recipients instructed to scan a QR code that contains a Bitcoin wallet address for payment. The security firm assesses with high confidence that the extortion demands are illegitimate and do not originate from the BianLian ransomware group. Although the ransom notes include Tor links to BianLian’s data leak site, the language and content differ significantly from previous ransom notes attributed to the group. Notably, these notes feature nearly perfect English and employ longer, more complex sentence structures, further suggesting they are not from BianLian.
Security Officer Comments:
The latest activity has yet to be attributed to a known threat cluster. The letters observed thus far contain a return address from an office building in Boston, Massachusetts, and are marked as "Time Sensitive, Read Immediately." This adds a sense of urgency and legitimacy, pressuring recipients to open the letter and quickly comply with the demands of the threat actors.
Overall, the use of physical ransom notes represents a novel and evolving tactic by threat actors, underscoring their adaptability in finding new ways to extort funds from victims. By shifting from traditional digital methods to physical mail, these actors are broadening their approach to reach potential targets.
Suggested Corrections:
Recommendations from GuidePoint:
- Notify executive team members about the threat to ensure they are not "caught off guard" if they receive such a letter. Ensure reporting mechanisms are clearly understood and documented.
- Educate employees on how to respond if they receive any ransom threat, whether legitimate or not, through any means.
- If your organization receives one of these letters, ensure network defenses are up to date and verify there are no active alerts indicating malicious activity. Although these letters are not believed to be linked to legitimate network activity, their delivery could signal previous leaks or compromises.
- Encourage recipients of this mail campaign to report the incident to local law enforcement, including their local FBI Field Office, as appropriate. Complaints can also be submitted to the Internet Crime Complaint Center (IC3) here.
https://www.bleepingcomputer.com/ne...-notes-mailed-to-us-ceos-in-postal-mail-scam/