A new scam campaign is targeting company executives by mailing fraudulent ransom notes that falsely claim their corporate networks have been breached.
The letters, which impersonate the BianLian ransomware group, demand Bitcoin payments of up to $350,000 under the threat of leaking sensitive company data. However, as Guidepoint security experts have confirmed, these extortion attempts are illegitimate and not linked to any real network compromises.
You have mail ransom
The fraudulent letters were first reported to GuidePoint Research in early March 2025. Multiple organizations informed the cybersecurity firm that members of their executive teams had received physical ransom notes sent from U.S. addresses. The letters claimed that attackers had gained access to company networks, exfiltrated sensitive data, and would leak it in 10 days unless a ransom was paid. To facilitate payments, the letters included a Bitcoin wallet address and a QR code. GuidePoint analyzed the campaign and found that while the letters referenced real Tor links associated with BianLian's data leak sites, other details raised significant doubts about their authenticity.
Key red flags in the letters pointed to a likely scam. Unlike real ransomware operations, which typically communicate via email or encrypted chat, these letters were sent through traditional mail — an unorthodox method for cybercriminals. The writing style also deviated from known BianLian ransom notes, using nearly perfect English with more complex sentence structures. Furthermore, the notes lacked any contact details, instead claiming that the group “no longer negotiates” — a stark departure from the usual ransomware practice of engaging in ransom negotiations. Most critically, the researchers found no evidence of actual cyber intrusions associated with the targeted organizations, suggesting the campaign is purely an attempt to extort money under false pretenses.
No BianLian involvement
BianLian is a well-known ransomware and extortion group that has targeted various industries, including healthcare, finance, and critical infrastructure. Initially operating as a ransomware-as-a-service (RaaS) group, BianLian shifted its focus to extortion-only tactics after cybersecurity researchers developed decryption tools for its malware. The group typically exfiltrates sensitive data and threatens to leak it unless victims comply with their demands. However, the current mail-based extortion campaign does not match BianLian's known tactics, reinforcing the conclusion that the letters are the work of independent scammers.
GuidePoint provided further details on the fraudulent letters, which included a return address in Boston, Massachusetts, labeled as “BIANLIAN GROUP” and marked with “TIME SENSITIVE READ IMMEDIATELY.” The letters falsely claimed that attackers had infiltrated corporate networks via social engineering, intercepted network traffic, and gained access to confidential documents such as payroll reports, tax filings, and investor information. The extortionists warned recipients against contacting law enforcement, insisting that the FBI would be unable to help and would only prevent them from paying the ransom. However, GuidePoint's investigation revealed that all the Bitcoin wallet addresses used in the scam were freshly generated and had no links to any known ransomware groups.
This is yet another example of cybercriminals attempting to create urgency and panic, hoping that fear will lead to quick payments without verification. Organizations should remain vigilant and investigate claims before taking any action. Ultimately, paying the ransom is never the recommended solution, as there are absolutely no guarantees that the stolen data will be deleted or that the blackmail will stop.
Apple’s Rosetta 2 Exploited for Bypassing macOS Security Protections
Firewall Security AI – No Root