Cybercrims now licking stamps and sending extortion demands in snail mail

Updated Ransomware extortionists are now using letters sent by snail mail to demand payments, without bothering to infiltrate targets’ systems or infect them with malware.

According to infosec consultancy GuidePoint, which has seen several such demand letters, they’re not clichéd magazine-letters-cut-out-and-pasted type of notes. Instead, they’re typed and dispatched by the postal service to members of the "victim" company’s executive team.

The letters state they’re sent by the BinLian ransomware group, according to Grayson North, senior threat intelligence analyst at GuidePoint Security, who told The Register: "To our knowledge, no one has fallen for the fake letters."

The letters inform the recipients their networks have been compromised, sensitive information exfiltrated, and warn that a ransom of $250,000 (£200,000) to $350,000 (£275,000) must be paid within ten days or the data will be released.

The messages include a demand for payment in Bitcoin and thoughtfully include a QR code that links to the wallet to which the crooks suggest victims send the digi-bucks. A Tor link to BianLian's data-leak site is also present, presumably to add credibility to the letters.

Despite the creative effort that went into these demands, GuidePoint’s North and fellow threat analysts Stephen Brzozowski and Hermes Bojaxhi have “a high level of confidence that the extortion demands contained within are illegitimate and do not originate from the BianLian ransomware group.”

A physical letter does not have to worry about being blocked by email filters

North told The Register the security shop doesn't know who is sending these phony letters.

"The spray-and-pray snail mail extortion technique has been in use by actors in the sextortion space recently," he said. "One possibility is that one of these actors is expanding their target set using this technique."

North thinks sending actual letters may be a social engineering tactic. With all the news and warnings of ransomware, some marks may think these demands are the real deal.

"For some, a physical letter may represent a more 'serious' or 'official' threat versus an email or other digital communication," he explained. "Additionally, a physical letter does not have to worry about being blocked by email filters. Assuming they have the correct address for the recipient they can almost guarantee their message is seen."

In its report on the letters, GuidePoint states the envelopes in which they arrive were all marked "TIME SENSITIVE READ IMMEDIATELY” and bear a legitimate stamp.

If a recipient opens the letter, they’ll see the following text:

The letters also inform recipients that their corporate network is insecure, thus allowing the fake attackers to gain access to the IT environment and data. Whomever is sending these notes says they aren't willing to negotiate, the ransom demand is the final offer, and warn: "Do not go to the police or the FBI for help."

The letters include a return address in the USA: BianLian Group, 24 Federal Street, Suite 100, Boston MA 02110. That’s a real address for an office building in downtown Beantown.

• 'Strictly limit' remote desktop – unless you like catching BianLian ransomware
• Ransomware crooks now SIM swap executives' kids to pressure their parents
• Baguette bandits strike again with ransomware and a side of mockery
• Microsoft signed a dodgy driver and now ransomware scum are exploiting it

It should go without saying that if you receive a letter like this, you should not reply and instead alert the cops and, if in the US, the FBI's Internet Crime Complaint Center.

The good news is that, as mentioned above, none of the victims (that we know of) responded to the letter by paying a ransom.

It may be less comforting to know that GuidePoint thinks the senders may have found recipients’ addresses from “historical leaks or compromises."

The letters point to a concerning trend that in recent years has seen extortionists issue personalize demands, extort the customers of victim organizations after stealing their data, and even threaten “swatting” attacks directed at targets’ homes. ®

Updated to add on March 6

The FBI has decided this snail-mail campaign is serious enough for an advisory with advice on steps to take, and Palo Alto Networks' Unit 42 has more details of the scam if you're curious.