Team CryptoInsightfull 
Federal law enforcement agencies are warning business executives of a new scam involving criminals using the name of a prominent Russian ransomware gang to extort companies.
In an alert on Thursday, the FBI said scammers are mailing letters to corporate executives claiming that they stole sensitive data and will publish it unless a demand is paid in Bitcoin.
“Stamped ‘Time Sensitive Read Immediately,’ the letter claims the ‘BianLian Group’ gained access into the organization’s network and stole thousands of sensitive data files,” the FBI said.
“The letter then goes on to threaten that the victim’s data will be published to BianLian’s data leak sites if recipients do not use an included QR code linked to a Bitcoin wallet to pay between $250,000 and $500,000 within ten days from receipt of the letter, claiming the group will not negotiate further with victims.”
The FBI said it believes the letters are an attempt to force organizations into paying a ransom.
The letters have a return address based in Boston, Massachusetts and the FBI said it is still unclear whether there is any actual connection between the people behind the letters and the BianLian ransomware gang.
Both the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) encouraged anyone who received the letter to contact them.
The Russia-based BianLian ransomware gang is known for attacks on charities like Save The Children as well as healthcare firms like Boston Children’s Health Physicians and Amherstburg Family Health Team.
The advisory comes after multiple cybersecurity firms released their own warnings about the campaign this week. BleepingComputer first reported on the incident, sharing a photo of the alleged letters sent through the U.S. Postal Service in Boston on February 25.
Cybersecurity firm Arctic Wolf said the letters were being sent to executives primarily within the U.S. healthcare industry but noted that the language used in the letters can be “drastically different in word usage and tone.”
A spokesperson for the company told Recorded Future News that Arctic Wolf is aware of at least 20 organizations or executives who have received these letters.
All of the letters reviewed by Arctic Wolf had nearly identical language and demanded ransoms between $150,000 and $500,000. All of the healthcare organizations targeted got $350,000 ransom demands.
The letters had QR codes to Bitcoin wallet addresses and demanded payment within 10 days. The links to BianLian’s leak site were legitimate, according to Arctic Wolf.
“In at least two letters, the threat actor included a compromised password within the How did this happen? section, almost certainly in an attempt to add legitimacy to their claim,” the cybersecurity experts said. “All organizations that received the ransom letter had no activity indicative of a ransomware intrusion. It is very likely this campaign is an attempt to stoke fear and scam organizations into paying a ransom for a ransomware intrusion that never occurred.”
Palo Alto Networks’ Unit42 said it was also investigating similar incidents but noted that they “currently have no evidence confirming this is actually BianLian.”
Unit42 said the ransomware gang was known in the past for using phone calls after their attacks to pressure victims into paying ransoms but said “several aspects of these letters suggest they are not the actual threat actor known as BianLian, but an imposter.”
“These letters did not provide a means to contact the threat actor for negotiations, which is often a central piece of any extortion note,” the researchers said.
“Additionally, the letters did not provide any evidence data was actually exfiltrated, which is sometimes provided with an extortion note or during further contact with the threat actor.”
The letters also differed greatly from the ransom notes the gang typically leaves on victim networks.
Experts at a website called SuspectFile claimed they spoke to alleged BianLian ransomware actors who denied any involvement in the mail campaign.
Recorded Future
Intelligence Cloud.
