Senior executives in the US have been deluged with extortion mails that appear to come from ransomware group BianLian, but the FBI has advised they are unlikely to be connected to any realworld breach.
Recipients of the letters were told they needed to pay between $250,000 and $500,000 to a bitcoin address before the sender would “permanently destroy all data in our possession.”
The FBI’s advisory, published through its Internet Crime Complaints Centre, said it had “not yet identified any connections between the senders and the widely-publicized BianLian ransomware and data extortion group.”
GuidePoint Security warned about the scam earlier this week with irregularities, including the use of using physical letters leading most experts to conclude it was not legitimate.
The US Cybersecurity and Infrastructure Security Agency (CISA) describes the real BianLian group as a "data extortion cybercriminal group" which is "likely based in Russia".
Since 2022, the group has affected organisations in"multiple US critical infrastructure sectors", as well as similar industries in Australia.
How to identify a real ransomware threat
David Sancho, Senior Threat Researcher at IT security company Trend Micro told The Stack that threats without evidence of data possession are often “devoid of any real substance”.
He said: “The only way for an attacker to prove they have the private data they claim to have stolen is to show part of that data.
“They usually do this by sending a screenshot of a folder with filenames of internal documents and/or real information (emails, source code or anything that should never have left the company).”
See also: Ransomware losses soar by two-thirds, prompting insurance cost hike warning
Use of a QR code to direct those in receipt of the letter to a bitcoin address was also flagged as unusual by experts, with cyber consultancy S-RM saying the method of payment was rare in ransomware scams and BianLian in particular was not known to use QR codes.
Seperately, while links to "prior victims" included in the letter did lead to actual BianLian-connected sites, the pages are widely known in the cybersecurity community and could have been linked to by anyone with knowledge of the group.
Additionally, the letter’s return address in Boston, Massachusetts was described as “atypical of cybercriminal groups which typically go to great lengths to obfuscate their physical location”, S-RM said.
The FBI’s advisory did not identify how many execs had received the letter, or if any companies had ended up paying out, but Sancho said “this sounds too far-fetched to have a real impact on most companies that can pay that much money.”
