The FBI has reported that scammers are targeting U.S. executives with fraudulent ransom notes attributed to the BianLian ransomware group.
In a warning issued on Thursday, federal law enforcement agencies alerted business leaders about a new scheme where criminals impersonate the notorious Russian ransomware gang to extort money from companies.
The FBI stated that these scammers are sending letters to corporate executives, claiming they have compromised sensitive data and will release it unless a ransom is paid in Bitcoin.
Marked as “Time Sensitive Read Immediately,” the letter alleges that the “BianLian Group” has infiltrated the company’s network and stolen numerous sensitive files. It threatens that if the recipient does not pay between $250,000 and $500,000 within ten days using a provided QR code linked to a Bitcoin wallet, their data will be published on BianLian’s leak sites. The letter asserts that the group will not negotiate further with victims.
According to the FBI, these letters appear to be an effort to coerce organizations into paying a ransom.
The letters include a return address in Boston, Massachusetts, but the FBI has not confirmed any real connection between the senders and the actual BianLian ransomware group.
Both the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have urged anyone who receives such a letter to contact them.
BianLian, which operates from Russia, has been known for targeting charities like Save The Children and healthcare organizations such as Boston Children’s Health Physicians and Amherstburg Family Health Team.
This advisory follows multiple warnings issued by cybersecurity firms regarding the scam. BleepingComputer first reported on this incident, showing images of the letters sent via U.S. Postal Service in Boston.
Cybersecurity firm Arctic Wolf noted that the letters were primarily sent to executives in the U.S. healthcare sector, though the wording and tone varied significantly across different letters.
A representative from Arctic Wolf informed Recorded Future News that they are aware of at least 20 organizations or executives who have received these letters.
All analyzed letters had nearly identical wording and demanded ransoms ranging from $150,000 to $500,000, with healthcare organizations specifically targeted for $350,000.
The letters included QR codes linked to Bitcoin wallet addresses and required payment within ten days. Arctic Wolf confirmed that the links to BianLian’s leak site were legitimate.
The cybersecurity experts noted that in some letters, a compromised password was included in an attempt to lend credibility to the claim. However, all organizations that received the ransom letter showed no signs of a ransomware attack, suggesting this campaign is likely designed to instill fear and trick companies into paying for a non-existent ransomware incident.
Palo Alto Networks’ Unit42 is also investigating similar cases but stated they currently have no evidence confirming that this is genuinely BianLian.
Unit42 pointed out that while the ransomware group has previously used phone calls to pressure victims into paying ransoms, several elements of these letters indicate they may be from impostors rather than the actual BianLian group.
The letters lacked contact information for negotiations, which is typically included in extortion notes, and did not provide any proof that data had been stolen—unlike what is often presented in genuine extortion communications. Additionally, the style of these letters was notably different from the ransom notes usually left by BianLian on victim networks.
We also recommend
- Update on X’s Communities Feature
- Trump’s Administration Cuts May Jeopardize AI Research
- President Donald Trump Supports Federal Reserve of Cryptocurrency Assets
- Secure Your Crypto – The Best Wallet Apps for Maximum Protection
- Best Crypto Apps for Earning Passive Income in 2025
- A 4-Week Strategy to Landing a UK Job with Visa Sponsorship Offers.
- Bybit Hack: North Korean Cybercriminals Strike Again, Stealing $1.5 Billion in Crypto
