Scammers impersonate the BianLian ransomware gang by sending fake ransom notes to US companies via snail mail through the United States Postal Service.
Today, GuidePoint Security first reported these fraudulent ransom notes, and later, a CEO who received the same letter sent a scan of it to BleepingComputer.
The envelopes for these ransom notes, labeled as from the “BIANLIAN Group,” list a return address in an office building in Boston, Massachusetts:
BIANLIAN GROUP
24 FEDERAL ST, SUITE 100
BOSTON, MA 02110
In the letter shared with BleepingComputer, the envelope indicates it was mailed on February 25th, 2025. Notably, this mailing date matches the one observed by Arctic Wolf, who also reported on the scam today.
These letters target company CEOs at their corporate mailing addresses and pass through a postal facility in Boston. The envelopes prominently display the warning: “Time Sensitive Read Immediately.”
Envelope for fake BianLian ransom note
Source: BleepingComputer
Each envelope contains a ransom note addressed to the company’s CEO or another executive, falsely claiming to come from the BianLian ransomware operation. According to notes reviewed by BleepingComputer, scammers tailor these messages to the company’s industry, specifying different types of allegedly stolen data based on the business’s activities.
For instance, fake BianLian ransom notes sent to healthcare companies claim that patient and employee information was compromised. Meanwhile, those targeting product-based businesses allege the exposure of customer orders and employee records.
One such fake ransom note reads:
“I regret to inform you that we have gained access to [REDACTED] systems and, over the past several weeks, have exported thousands of data files. These include customer order and contact information, employee details with IDs, SSNs, payroll reports, and other sensitive HR documents, as well as company financial records, legal documents, investor and shareholder information, invoices, and tax documents.”
Fake BianLian ransom note sent via snail mail
Source: GuidePoint Security
The mailed ransom notes differ significantly from BianLian’s actual communications, but scammers attempt to make them appear convincing by including the ransomware group’s real Tor data leak sites.
Unlike typical ransomware demands, these fake notes claim that BianLian no longer negotiates with victims. Instead, they warn that the targeted company has just 10 days to make a Bitcoin payment to prevent data from being leaked.
Each ransom note specifies a payment amount ranging between $250,000 and $500,000, along with a newly generated Bitcoin address and a QR code for the transaction.
According to Arctic Wolf, all healthcare organizations received a ransom demand of $350,000—the same amount shared by a healthcare company with BleepingComputer, as shown below.
Payment information in fake BianLian ransom note
Source: BleepingComputer
Arctic Wolf also reports that two of the ransom notes their researchers reviewed included legitimate compromised passwords, likely to make the threats appear more credible.
“In at least two letters, the threat actor included a compromised password within the ‘How did this happen?’ section, almost certainly in an attempt to add legitimacy to their claim,” explained Arctic Wolf.
Despite these tactics, security experts agree that the ransom notes are fake and serve only to intimidate executives into paying, as there are no signs of an actual breach.
“While GRIT cannot confirm the identity of the letter’s authors at this time, we assess with a high level of confidence that the extortion demands contained within are illegitimate and do not originate from the BianLian ransomware group,” stated GuidePoint Security researcher Grayson North.
However, this does not mean companies should ignore the scam. Given the widespread mailing of these letters, IT and security administrators should inform executives about the hoax to prevent unnecessary panic and wasted resources.
These fake ransom notes mark an evolution of the email extortion scams that have surged in popularity since 2018. Rather than targeting individuals through personal emails, scammers now focus on corporate CEOs.
BleepingComputer reached out to the BianLian ransomware operation to determine whether they were involved in these mailings, but no response was immediately available.
Source: BleepingComputer, Lawrence Abrams
