Over the past two weeks, corporate executives at various US organizations, primarily in the healthcare sector, have been targeted in a scam campaign involving physical letters.
The letters, claiming to arrive from the BianLian ransomware group and stamped “Time Sensitive Read Immediately”, allege that the recipient’s organization fell victim to a cyberattack in which thousands of sensitive data files were stolen, a fresh FBI alert reveals.
“The letter then goes on to threaten that the victim’s data will be published to BianLian’s data leak sites if recipients do not use an included QR code linked to a Bitcoin wallet to pay between $250,000 and $500,000 within ten days from receipt of the letter,” the FBI explains.
A “US-based return address of ‘BianLian Group’ originating from Boston, Massachusetts” is included in these letters, the FBI says.
The letters, the agency notes, are an attempt to scam organizations into paying a ransom, and no connection between the senders and the infamous BianLian ransomware and extortion group has been identified yet.
According to cybersecurity firm Arctic Wolf, the threat actor started sending these letters on February 25, and all letters contain nearly identical verbiage, suggesting that the scammers used a template and made only minor changes between the letters.
The letters were sent from Boston, Massachusetts, have a variation of an American flag ‘Forever’ stamp, claim that social engineering was used to compromise the company’s systems, include a QR code to a Bitcoin wallet, and include Tor links to BianLian’s data leak sites.
“In at least two letters, the threat actor included a compromised password within the How did this happen? section, almost certainly in an attempt to add legitimacy to their claim,” Arctic Wolf notes.
The cybersecurity firm notes that there is no evidence that targeted organizations were victims of ransomware attacks, suggesting that the letters are meant to “stoke fear and scam organizations” into paying a ransom for an attack that never occurred.
Arctic Wolf also points out that the ransom letters are “drastically different in word usage and tone” compared to the communication and ransom notes previously associated with the BianLian ransomware group.
Related: Free Decryptors Released for BianLian, MegaCortex Ransomware
Related: Ransomware Hits Australian Gold Mining Firm Evolution Mining
Related: Resurgence of Ransomware: Mandiant Observes Sharp Rise in Criminal Extortion Tactics
Related: Russian Member of Karakurt Cyber Extortion Gang Charged in US