Imposter masquerades as BianLian ransomware group in payment fraud scheme
The primary objective of this advisory is to alert S-RM's key partners of a threat which can result in a client paying a ransom demand to an illegitimate threat actor, resulting in loss of funds.
Background
In March 2025, S-RM’s Incident Response practice identified an ongoing campaign by a threat actor that we believe is impersonating BianLian ransomware group with the aim of soliciting payments from recipients.
Reports indicate that hundreds of executives across the United States have received physical letters alleging network compromise and data theft. These letters, post-marked in late-February, featured a stamp reading “TIME SENSITIVE – READ IMMEDIATELY” and listed a return mail address in Boston, Massachusetts.
Figure 1. Redacted Image of Envelope
At this time S-RM cannot confirm the author’s identity. However, S-RM assesses that the letters are highly likely to be false claims impersonating the BianLian ransomware group due to key inconsistencies between the letters and the group’s typical ransom notes.
Imposter letter contents
A redacted version of the fake BianLian ransom note is available below:
Figure 2. Imposter Letter Contents, dated 4 March 2025.
The inconsistencies identified
The letters deviate from typical BianLian ransom notes in the following ways:
- Absence of identified malicious activity in recipient networks: No signs of unauthorized access or malicious behavior have been identified within the networks of recipients supported by S-RM to date. The absence of indicators of compromise suggests it is highly likely that the persons responsible for the notes have not gained access to the targeted networks.
- Delivery via United States Postal Service: Legitimate ransomware groups typically communicate ransom demands digitally; this method also serves as a standard way of attesting to legitimate network compromise. Further, the letters included a return address with a physical address in Boston, Massachusetts. This is a-typical of cybercriminal groups which typically go to great lengths to obfuscate their physical location, frequently operating outside of the United States to evade law enforcement action.
- Communication channel deviation: Unlike typical ransom notes which include multiple means to contact the group, the letters provided only the group’s publicly-available TOR site and no contact information. Instead, letters explained that the group no longer negotiates ransoms, a significant deviation from other operations, who encourage communications to reach negotiated settlements.
- Linguistic Inconsistencies: Analysis of the language used in the letters and previously identified BianLian ransom notes revealed significant differences in English-language proficiency and style, indicating that the author of the note likely originated from a different author.
- Inclusion of a QR-Code for bitcoin payments: Although use of QR-codes has increased in digital scams throughout the past two years, established ransomware operations typically utilize QR-codes as a mechanism to deliver malware or gain initial access rather than to facilitate payments. Further, S-RM has not seen BianLian make use of QR-codes to date.
Please contact S-RM if you are concerned about your organization or have any further questions on this development.
