Business and CEO owners across the United States received personalized Ransomware threats this month from the country’s most unusual countries – in the post.
The letters, which were first reported by multiple online security researchers, claim to come from a ransomware group called Bianlian. But since Malwarebytes initially began to trace Bianlian nearly a year ago, our intelligence analysts have never seen the cybercrime gangs resort to send their physical letters to make their redemption requirements, suggesting that the latest snail mail campaign may be the work of copycats.
The threat, however, is still quite true, especially for small businesses owners who are supported either in themselves or have contracted IT services to investigate any technical problems.
According to the many examples discovered by the researchers, the letters in this possible hungry threat were sent through the US Postal Service. The envelopes containing the letters are stamped with the words “Sensitive time read immediately” and ranked the following return address:
Bianlian
24 FEDERAL ST, SUITE 100
Boston, MA, 02110
The letters themselves lobby a variety of urgent threats to their recipients: their corporate network has been compromised, the sensitive data of customers and employees have been stolen, and there is immediately a 10-day deadline to pay a Cryptocurrency reward before stolen data from the Internet.
These threats are standard for Ransomware groups today, especially those that are directed not only to encode the data of a company, but stealing them in the process of an attack to use as further lever to extort a reward payment. In fact last year, Malwarebytes wrote about the abuse of Bianlian an ordinary Microsoft tool to avoid detecting internet security while storing massive amounts of data stolen from victims.
But the similarities between the threats included in the paper and the registered actions of Bianlian End there. Letters of letters claim that they “no longer negotiate with the victims”, which is a rarity from Ransomware gangs. In fact, the practice is as normalized as a Ransomware’s “negotiating” cottage industry has grown to help victims captured in an attack. The letters themselves, researchers said, also include some grammatical errors and better sentence structure than a typical note of Ransomware Bianlian.
Starts one of the letters, as a whole,:
Loving [REDACTED]
I am sorry to inform you that we have gained access to [REDACTED] Systems and over the past few weeks have exported thousands of data files, including customer order and contact information, employee information with IDS, SSNS, payroll reports and other sensitive human resources documents, company financial documents, legal documents, investors and shareholders, bills and tax documents.
Interestingly, the researchers noticed that some of the letters were personalized based on their recipient. If a letter was sent to a General Director of Health, for example, the letter warned of theft of patient data; If the letter had been sent to a CEO of a product manufacturer, the letter warned of violated customer orders and employee data.
The amounts required by the letters changed from $ 250,000 to $ 350,000.
While a “physical” cyber may sound silly, these letters can cause significant damage to small and growing businesses.
These personalized letters convincingly threaten network compromise, password abuse, employee utilization and data theft, which may be difficult to verify for any lean organization. Think about it this way: if a daily person had struggled to check if their home router had been compromised, many small businesses owners would try to do the same about their corporate infrastructure, and this has no fault.
If you get one of these letters in the mail, notify the IT immediately or your security team. They can provide the necessary investigation to verify the safety of your business.
Whether you have dedicated it to IT staff or not, you can protect your small business with malwarebytes teams, which prevents malware attacks and informs you of dubious activity on your network.