Security bulletin with exclamation point symbol in the middle of the screen
Security bulletin with exclamation point symbol in the middle of the screen
Back to blog

Self-Proclaimed “BianLian Group” Uses Physical Mail to Extort Organizations

On or around February 25, 2025, a threat actor claiming to be associated with the BianLian ransomware group began using the United States Postal Service (USPS) to send physical ransom letters to executives, primarily within the US healthcare sector. Find Arctic Wolf’s recommendations.
Security bulletin with exclamation point symbol in the middle of the screen
6 min read

On or around February 25, 2025, a threat actor claiming to be associated with the BianLian ransomware group began using the United States Postal Service (USPS) to send physical ransom letters to executives, primarily within the US healthcare sector. Notably, when compared with historical BianLian communications and ransom notes, the physical ransom letters are drastically different in word usage and tone. 

All letters reviewed by Arctic Wolf contained nearly identical verbiage and appeared to be templated with just a few minor changes between the letters. 

  • Sent from Boston, Massachusetts; all with some variation of an American flag forever stamp. 
  • Envelopes stamped with TIME SENSITIVE READ IMMEDIATELY
  • Claims that the group had gained access to the company’s systems via social engineering and exfiltrated sensitive data. 
    • No proof supporting the claim was included. 
  • Ransom demands ranged from $150k-$500k (All healthcare organizations were $350k). Bitcoin payment required within 10 days. 
  • QR code containing the Bitcoin wallet address. 
  • Inclusion of legitimate TOR links to BianLian’s data leak sites. 

 

In at least two letters, the threat actor included a compromised password within the How did this happen? section, almost certainly in an attempt to add legitimacy to their claim. 

All organizations that received the ransom letter had no activity indicative of a ransomware intrusion. It is very likely this campaign is an attempt to stoke fear and scam organizations into paying a ransom for a ransomware intrusion that never occurred. 

Recommendations 

Report Extortion Letters by Submitting an IC3 Complaint

Report the letters you received to local law enforcement by filing a complaint through the Internet Crime Complaint Center (IC3). This process ensures that your report is properly routed to the appropriate FBI field office for further investigation. The FBI is actively monitoring this campaign and is aware of its ongoing activity. 

Communicate Campaign Information to Executives and Employees

Share information about this campaign with employees and executives to enhance awareness and ensure they can quickly recognize and report a potential incident. Providing clear guidance on reporting procedures will help facilitate a swift and effective response. 

 

Resources

Understand the threat landscape, and how to better defend your organization, with the 2025 Arctic Wolf Threat Report

See how Arctic Wolf utilizes threat intelligence to harden your attack surface and stop threats earlier and faster

Popular Topics
View all posts
Share this post:

What to read next

Back to Blog
Arctic Wolf Blog Featured Image
5 min read

Follow-Up: Samsung Patches Zero-Day Vulnerability in MagicINFO 9 Server (CVE-2025-4632)

May 14, 2025

View Post
Arctic Wolf Blog Featured Image
3 min read

Follow-up: Second Zero-Day Vulnerability Impacting SAP Netweaver Exploited in the Wild (CVE-2025-42999)

May 14, 2025

View Post
Arctic Wolf Blog Featured Image
13 min read

Microsoft Patch Tuesday: May 2025

May 14, 2025

View Post
Arctic Wolf Blog Featured Image
6 min read

CVE-2025-32756: Exploitation of Critical Severity Zero-Day Vulnerability in Fortinet FortiVoice

May 13, 2025

View Post