Snail Mail Fail: Fake Ransom Note Campaign Preys on Fear
In early March 2025, GRIT received reports from multiple organizations regarding suspicious physical letters delivered by mail from US addresses to members of their executive team. These letters, which claim to be from the BianLian ransomware group, state that the recipient’s corporate IT network has been compromised and that sensitive data has been stolen. Mimicking the threats of a “true” ransomware ransom note, the letters state that the stolen data will be leaked 10 days after receipt of the letter unless a substantial ransom is paid. The letter instructs the recipient to pay the ransom to an included Bitcoin wallet, which is made easier by including a QR code containing the wallet address. As a part of this specific campaign, we observed ransom demands ranging from $250,000 to $350,000 USD. The authors of the letters take great care in presenting themselves as the BianLian ransom group, including providing Tor links to BianLian’s data leak site. While GRIT cannot confirm the identity of the letter’s authors at this time, we assess with a high level of confidence that the extortion demands contained within are illegitimate and do not originate from the BianLian ransomware group.
During our review, multiple indicators within the letters surfaced, raising questions of their legitimacy. Most notably, communication of a ransom demand via the postal service is not something we have previously observed from any legitimate ransomware group – as communicating the compromise digitally has long been the standard means of claiming and verifying network compromise. In addition, the wording and content of this message are inconsistent with ransom notes that we have observed from BianLian in the past, containing nearly perfect use of English and featuring longer, more complex sentence structures. The Tor “onion” links provided in the letter do, in fact, point to BianLian’s dark web data leak sites, but we note that these addresses are widely known and tracked by multiple cybersecurity outlets and thus not indicative of legitimacy. No contact information is provided in the letter, with the sender stating that “we no longer negotiate [ransoms].” This strays from the norm of threat groups asking their victims to discuss their extortion threats, typically via email or dark web chat site, while providing a notional cover for missing negotiation details that might be expected. Finally, the Bitcoin wallet addresses we observed, as included in these notes, are all freshly generated, with no ties to any ransomware groups, BianLian or otherwise; while this is standard practice for ransom payment wallets across most ransomware groups, it may also further serve to obfuscate the sender’s true identity and affiliation.
Most relevant of all, in the cases where we have seen the delivery of these letters, we have not observed known or suspected intrusion activity reflecting ransomware operations. Based on the unusual delivery mechanism, the language changes, the absence of intrusion activity, and the delivery of the letters from US post offices, we have high confidence that this wave of letters represents an attempt to deceive and scam executives and organizations into paying a ransom, sight unseen, to actors unaffiliated with the BianLian group.
Letter Indicators
Return address:BIANLIAN GROUP
24 FEDERAL ST, SUITE 100
BOSTON, MA 02110
Envelope is marked “TIME SENSITIVE READ IMMEDIATELY” and stamped with an American flag Forever Stamp.
Letter Contents
Dear [REDACTED]
I regret to inform you that we have gained access to [REDACTED] systems and over the past several weeks have exported thousands of data files, including customer order and contact information, employee information with IDs, SSNs, payroll reports, and other sensitive HR documents, company financial documents, legal documents, investor and shareholder information, invoices, and tax documents.
How did this happen?
Your network is insecure and we were able to gain access and intercept your network traffic, leverage your personal email address, passwords, online accounts and other information to social engineer our way into [REDACTED] systems via your home network with the help of another employee. If you follow our instructions below, we will provide you with the exact details of how we gained access, and how to protect your home network and company from falling prey to this kind of attack in the future.
What do we want?
We require [REDACTED] in Bitcoin paid to the address below within 10 days of receipt of this letter. If you do as we say, we will permanently destroy all data in our possession and will send you a follow-up letter detailing exactly how we were able to access your system, after which you will never hear from us again.
If you do not comply, all of [REDACTED] sensitive data will be published to our TOR darknet sites, sent to all interested supervisory organizations and the media, distributed via email to all your investors, partners, customers, employees, and other relevant parties, and you can expect collective lawsuits as we will invite various law firms to take up a group case.
What guarantees we will do what we say?
We are not a politically motivated group and we want nothing more than money. Our industry only works if we hold up our end of the bargain. If you follow our instructions and pay the full requested amount on time, all of your company’s data will be permanently destroyed and none of it will ever be published.
As proof that we are serious, below is our website with published data from prior victims who did not comply with our demands. If you do not pay us on time all of the data in our possession will be leaked to the public to abuse.
Download and install Tor Browser from this website: https://www.torproject[.]org
Open one of the below links in Tor Browser
[REDACTED] (Main)
[REDACTED] (Backup)
What should you do now?
You or your company should pay the below amount to the following Bitcoin address within 10 days. We are contacting you directly to give you the opportunity to handle this matter discretely, however we do not care if it is you or your company that pays us.
Required Amount: [REDACTED]
Bitcoin Payment Address: [REDACTED]
Bitcoin Payment QR Code: [REDACTED]
Important
Do not go to the police or the FBI for help. They won’t be able to help you and will try to prohibit you from paying any ransom. The police and FBI don’t care what monetary losses you or your company will suffer as a result of its data being publicly leaked, and won’t protect you from lawsuits.
We no longer negotiate with victims: You have 10 days from the receipt of this letter to pay. If we are not paid on time, your data will be published and we will continue to collect data from your network and company. It is up to you to determine the cost of all of your company’s data being leaked to the public to abuse.
Sincerely,
BIANLIAN GROUP
Recommendations
In response to this threat, GRIT recommends the following course of action:
· Notify executive team members of the existence of this threat so that they are not “caught off guard” if they receive such a letter. Ensure that reporting mechanisms are understood and documented.
· Ensure employees are educated on what to do if they receive a ransom threat, illegitimate or otherwise, by any means.
· If you or your organization receives one of these letters, ensure that your network defenses are up to date and that there are no active alerts regarding malicious activity in your environment. While we do not assess that these letters are tied to legitimate malicious network activity, the identification and delivery of the letters could reflect historical leaks or compromises.
· Recipients of this mail campaign are encouraged to report the incident to local law enforcement, including their local FBI Field Office, as appropriate. Complaints can also be submitted to the Internet Crime Complaint Center (IC3) here.
· If you suspect a network compromise, contact GuidePoint’s incident response team for assistance.