On or around February 25, 2025, a threat actor claiming to be connected to the BianLian ransomware group began using the United States Postal Service (USPS) to send physical ransom letters to executives, primarily in the US healthcare sector. Notably, compared to historical BianLian communications and ransom notes, these physical ransom letters differ significantly in word choice and tone.

 

All letters reviewed by T3CHNOLOGY had nearly identical wording and seemed templated, with only a few minor alterations between them consisting of the following:

  • Sent from Boston, Massachusetts; all with some variation of an American flag forever stamp.
  • Envelopes stamped with TIME SENSITIVE READ IMMEDIATELY
  • Claims that the group had gained access to the company’s systems via social engineering and exfiltrated sensitive data.
  • No proof supporting the claim was included.
  • Ransom demands ranged from $150k-$500k (All healthcare organizations were $350k). Bitcoin payment required within 10 days.
  • QR code containing the Bitcoin wallet address.
  • Inclusion of legitimate TOR links to BianLian’s data leak sites.

 

In at least two letters, the threat actor included a compromised password in the “How did this happen?” section, likely to add legitimacy to their claim. All organizations that received the ransom letter showed no signs of a ransomware intrusion. It is highly probable that this campaign aims to instill fear and scam organizations into paying a ransom for an intrusion that never took place.

 

Expect these letters and the methods used to change over time including but not limited to requiring Signature on Delivery, being delivered via UPS, FedEx, DHL or other carriers.

 

If you receive letters by mail please report to local law enforcement by submitting a complaint through the Internet Crime Complaint Center (IC3). This process ensures that your report is properly carried out to the appropriate FBI field office for further investigation. The FBI is actively monitoring this campaign and is aware of its ongoing activities.

IC3 article: https://www.ic3.gov/PSA/2025/PSA250306-2

Published On: March 10th, 2025 / Categories: Cybersecurity /

Subscribe To Receive The Latest News

Curabitur ac leo nunc. Vestibulum et mauris vel ante finibus maximus.

Add notice about your Privacy Policy here.

client 1
client 2
client 3
client 4
client 5
client 6

Related Posts

Free cybersecurity security authentication vector

All About the New U.S. Cyber Trust Mark

April 25th, 2025|0 Comments
Free cyber security phone login vector

Top 10 Security Tips for Mobile App Users

April 20th, 2025|0 Comments
Free hacker computer programming vector

Spotting the Difference Between Malware and Ransomware

April 5th, 2025|0 Comments
Free malware ransomware scam vector

How to Minimize Ransomware Damage

March 20th, 2025|0 Comments