Cybercrims now licking stamps and sending extortion demands in snail mail
(2025/03/05)
- Reference: 1741156151
- News link: https://www.theregister.co.uk/2025/03/05/snail_mail_data_release_extortion/
- Source link:
Ransomware extortionists are now using letters sent by snail mail to demand payments, without bothering to infiltrate targets’ systems or infect them with malware.
According to infosec consultancy GuidePoint, which has seen several such demand letters, they’re not clichéd magazine-letters-cut-out-and-pasted type of notes. Instead, they’re typed and dispatched by the postal service to members of the "victim" company’s executive team.
The letters state they’re sent by the [1]BinLian ransomware group , according to Grayson North, senior threat intelligence analyst at GuidePoint Security, who told The Register : "To our knowledge, no one has fallen for the fake letters."
[2]
The letters inform the recipients their networks have been compromised, sensitive information exfiltrated, and warn that a ransom of $250,000 (£200,000) to $350,000 (£275,000) must be paid within ten days or the data will be released.
[3]
[4]
The messages include a demand for payment in Bitcoin and thoughtfully include a QR code that links to the wallet to which the crooks suggest victims send the digi-bucks. A Tor link to BianLian's data-leak site is also present, presumably to add credibility to the letters.
Despite the creative effort that went into these demands, GuidePoint’s North and fellow threat analysts Stephen Brzozowski and Hermes Bojaxhi have “a high level of confidence that the extortion demands contained within are illegitimate and do not originate from the BianLian ransomware group.”
A physical letter does not have to worry about being blocked by email filters
North told The Register the security shop doesn't know who is sending these phony letters.
"The spray-and-pray snail mail extortion technique has been in use by actors in the sextortion space recently," he said. "One possibility is that one of these actors is expanding their target set using this technique."
[5]
North thinks sending actual letters may be a social engineering tactic. With all the news and warnings of ransomware, some marks may think these demands are the real deal.
"For some, a physical letter may represent a more 'serious' or 'official' threat versus an email or other digital communication," he explained. "Additionally, a physical letter does not have to worry about being blocked by email filters. Assuming they have the correct address for the recipient they can almost guarantee their message is seen."
In its [6]report on the letters, GuidePoint states the envelopes in which they arrive were all marked "TIME SENSITIVE READ IMMEDIATELY” and bear a legitimate stamp.
[7]
If a recipient opens the letter, they’ll see the following text:
I regret to inform you that we have gained access to [REDACTED] systems and over the past several weeks have exported thousands of data files, including customer order and contact information, employee information with IDs, SSNs, payroll reports, and other sensitive HR documents, company financial documents, legal documents, investor and shareholder information, invoices, and tax documents.
The letters also inform recipients that their corporate network is insecure, thus allowing the fake attackers to gain access to the IT environment and data. Whomever is sending these notes says they aren't willing to negotiate, the ransom demand is the final offer, and warn: "Do not go to the police or the FBI for help."
The letters include a return address in the USA: BianLian Group, 24 Federal Street, Suite 100, Boston MA 02110. That’s a real address for an office building in downtown Beantown.
[8]'Strictly limit' remote desktop – unless you like catching BianLian ransomware
[9]Ransomware crooks now SIM swap executives' kids to pressure their parents
[10]Baguette bandits strike again with ransomware and a side of mockery
[11]Microsoft signed a dodgy driver and now ransomware scum are exploiting it
It should go without saying that if you receive a letter like this, you should not reply and instead alert the cops and, if in the US, the [12]FBI's Internet Crime Complaint Center .
The good news is that, as mentioned above, none of the victims (that we know of) responded to the letter by paying a ransom.
It may be less comforting to know that GuidePoint thinks the senders may have found recipients’ addresses from “historical leaks or compromises."
The letters point to a concerning trend that in recent years has seen extortionists issue [13]personalize demands, extort the customers of victim organizations after stealing their data, and even [14]threaten “swatting” attacks directed at targets’ homes. ®
Get our [15]Tech Resources
[1] https://www.theregister.com/2023/05/17/fbi_cisa_bianlian_advisory/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/bootnotes&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z8gu13KFsntpXb-3spxh5wAAAMQ&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/bootnotes&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z8gu13KFsntpXb-3spxh5wAAAMQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/bootnotes&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z8gu13KFsntpXb-3spxh5wAAAMQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/bootnotes&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z8gu13KFsntpXb-3spxh5wAAAMQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://www.guidepointsecurity.com/blog/snail-mail-fail-fake-ransom-note-campaign-preys-on-fear/
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/bootnotes&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z8gu13KFsntpXb-3spxh5wAAAMQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2023/05/17/fbi_cisa_bianlian_advisory/
[9] https://www.theregister.com/2024/05/07/ransomware_evolves_from_mere_extortion/
[10] https://www.theregister.com/2025/01/28/baguettes_bandits_strike_again/
[11] https://www.theregister.com/2025/03/04/paragon_partition_manager_ransomware_driver/
[12] https://complaint.ic3.gov/
[13] https://www.theregister.com/2025/01/22/ransomware_crews_abuse_microsoft_teams/
[14] https://www.theregister.com/2024/01/05/swatting_extorion_tactics/
[15] https://whitepapers.theregister.com/
According to infosec consultancy GuidePoint, which has seen several such demand letters, they’re not clichéd magazine-letters-cut-out-and-pasted type of notes. Instead, they’re typed and dispatched by the postal service to members of the "victim" company’s executive team.
The letters state they’re sent by the [1]BinLian ransomware group , according to Grayson North, senior threat intelligence analyst at GuidePoint Security, who told The Register : "To our knowledge, no one has fallen for the fake letters."
[2]
The letters inform the recipients their networks have been compromised, sensitive information exfiltrated, and warn that a ransom of $250,000 (£200,000) to $350,000 (£275,000) must be paid within ten days or the data will be released.
[3]
[4]
The messages include a demand for payment in Bitcoin and thoughtfully include a QR code that links to the wallet to which the crooks suggest victims send the digi-bucks. A Tor link to BianLian's data-leak site is also present, presumably to add credibility to the letters.
Despite the creative effort that went into these demands, GuidePoint’s North and fellow threat analysts Stephen Brzozowski and Hermes Bojaxhi have “a high level of confidence that the extortion demands contained within are illegitimate and do not originate from the BianLian ransomware group.”
A physical letter does not have to worry about being blocked by email filters
North told The Register the security shop doesn't know who is sending these phony letters.
"The spray-and-pray snail mail extortion technique has been in use by actors in the sextortion space recently," he said. "One possibility is that one of these actors is expanding their target set using this technique."
[5]
North thinks sending actual letters may be a social engineering tactic. With all the news and warnings of ransomware, some marks may think these demands are the real deal.
"For some, a physical letter may represent a more 'serious' or 'official' threat versus an email or other digital communication," he explained. "Additionally, a physical letter does not have to worry about being blocked by email filters. Assuming they have the correct address for the recipient they can almost guarantee their message is seen."
In its [6]report on the letters, GuidePoint states the envelopes in which they arrive were all marked "TIME SENSITIVE READ IMMEDIATELY” and bear a legitimate stamp.
[7]
If a recipient opens the letter, they’ll see the following text:
I regret to inform you that we have gained access to [REDACTED] systems and over the past several weeks have exported thousands of data files, including customer order and contact information, employee information with IDs, SSNs, payroll reports, and other sensitive HR documents, company financial documents, legal documents, investor and shareholder information, invoices, and tax documents.
The letters also inform recipients that their corporate network is insecure, thus allowing the fake attackers to gain access to the IT environment and data. Whomever is sending these notes says they aren't willing to negotiate, the ransom demand is the final offer, and warn: "Do not go to the police or the FBI for help."
The letters include a return address in the USA: BianLian Group, 24 Federal Street, Suite 100, Boston MA 02110. That’s a real address for an office building in downtown Beantown.
[8]'Strictly limit' remote desktop – unless you like catching BianLian ransomware
[9]Ransomware crooks now SIM swap executives' kids to pressure their parents
[10]Baguette bandits strike again with ransomware and a side of mockery
[11]Microsoft signed a dodgy driver and now ransomware scum are exploiting it
It should go without saying that if you receive a letter like this, you should not reply and instead alert the cops and, if in the US, the [12]FBI's Internet Crime Complaint Center .
The good news is that, as mentioned above, none of the victims (that we know of) responded to the letter by paying a ransom.
It may be less comforting to know that GuidePoint thinks the senders may have found recipients’ addresses from “historical leaks or compromises."
The letters point to a concerning trend that in recent years has seen extortionists issue [13]personalize demands, extort the customers of victim organizations after stealing their data, and even [14]threaten “swatting” attacks directed at targets’ homes. ®
Get our [15]Tech Resources
[1] https://www.theregister.com/2023/05/17/fbi_cisa_bianlian_advisory/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/bootnotes&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z8gu13KFsntpXb-3spxh5wAAAMQ&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/bootnotes&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z8gu13KFsntpXb-3spxh5wAAAMQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/bootnotes&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z8gu13KFsntpXb-3spxh5wAAAMQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/bootnotes&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z8gu13KFsntpXb-3spxh5wAAAMQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://www.guidepointsecurity.com/blog/snail-mail-fail-fake-ransom-note-campaign-preys-on-fear/
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/bootnotes&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z8gu13KFsntpXb-3spxh5wAAAMQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2023/05/17/fbi_cisa_bianlian_advisory/
[9] https://www.theregister.com/2024/05/07/ransomware_evolves_from_mere_extortion/
[10] https://www.theregister.com/2025/01/28/baguettes_bandits_strike_again/
[11] https://www.theregister.com/2025/03/04/paragon_partition_manager_ransomware_driver/
[12] https://complaint.ic3.gov/
[13] https://www.theregister.com/2025/01/22/ransomware_crews_abuse_microsoft_teams/
[14] https://www.theregister.com/2024/01/05/swatting_extorion_tactics/
[15] https://whitepapers.theregister.com/
Quick get those letters and envelopes to CSI!
lglethal
The CSI Team will be able to get some DNA from the Perps (from the licked back of the stamps of course), and then the CSI Teams will swoop in guns drawn, and nail these dastardly, foreign (because of cause they will foreign in the current climate) no-gooders. So that the C-Suite's can go back to drinking their soy decaf lattes, and having affairs with the secretaries in peace!
Advertising
An_Old_Dog
When I get an envelope from some company or address unknown to me, I presume it's some crap advertisement and I throw it, unopened, into the recycle bin at work, or the fire starter box at home.
The phrases, "IMPORTANT TIME-SENSITIVE MATERIAL" and, "YOU MAY BE A WINNER" do not alter this procedure.
What goes around comes around
This is just like the junk mail I used to get regularly thirty years ago: "Hi, we entered you in a European lottery sweepstake and you have won a prize. Just send us £30 to cover our administration costs and we will release your prize money. If you don't respond within a month, your prize money will be shared amongst the other winners." These were usually sent from somewhere in the Netherlands, and apparently, pensioners were quite gullible to this and genuinely thought they would get some money, so responded. Spoiler alert, they didn't get anything.