Fake ransomware delivered by postal service

BianLian is a Russia-connected ransomware gang well-known to the FBI and to cybersecurity and forensics professionals. They are responsible for scores of costly attacks on high-profile targets. 

They typically use Remote Desktop Protocol (RDP) credentials to gain access to target systems, where they establish a secure backdoor and expand access over time, eventually exfiltrating data and announcing their ransom demand.

Extortion, the old-fashioned way?

One thing BianLian members don’t do is employ the US Post Office to deliver their extortion demands. And that’s just one of several reasons why the FBI and others are confident that a recent wave of “ransomware” payment demands sent via physical mail is not associated with BianLian, despite claiming to be.

Targets for these snail-mail payment demands have been executives for various US organizations, primarily in the healthcare sector. Ransomware demands range from $250,000 to $500,000, payable in Bitcoin. A QR code to deposit to a crypto wallet is included. 

Why snail mail?

Physical letters, unlike malicious or suspect emails, are much more likely to get delivered as intended. After all, "Neither snow nor rain nor heat nor gloom of night stays these couriers from the swift completion of their appointed rounds."

On the other hand, the use of snail mail is a giveaway that they have not, in fact, penetrated or taken control of their victims’ networks as they claim to. If they had, they could certainly get admins’ attention easily without resorting to buying stamps.

How it works

The letters are somewhat personalized but follow a very similar script. The envelopes are stamped “Time Sensitive Read Immediately.” Creating a sense of urgency is a basic element in many scams and frauds.

The letters claim that thousands of sensitive files have been stolen, and that they will be released on BianLian’s dark-web leak site unless a ransom is paid within ten days.

A QR code takes victims to a crypto wallet where they can deposit the ransom.

The letter makes a point of saying that its authors “will not negotiate further with victims.” This is taken as another sign that BianLian is not involved, since that is not their usual policy.

Tips to reduce risk

Protecting your organization against the risk from this type of fraud is mostly a matter of awareness and education. 

FBI recommends individuals take the following precautions:

• Notify corporate executives and the organization of the scam for awareness.

• Ensure employees are educated on what to do if they receive a ransom threat.

• If you or your organization receives one of these letters, ensure your network defenses are up to date and that there are no active alerts regarding malicious activity.

• If you discover you are a victim of BianLian ransomware, please visit our Joint Cybersecurity Awareness Bulletin for recent tactics, techniques, and procedures and indicators of compromise to help organizations protect against ransomware.

A strong program of security awareness training, like that included as part of Barracuda Email Protection, is a good way to reduce your organization’s risk from scams such as this one.