BianLian ransom demand hoax circulates via snail mail

The FBI and the American Hospital Association have received multiple reports of a ransom demand hoax in which a bad actor claims to be part of the Russian ransomware group BianLian. According to the reports, which affected hospitals and health systems as recently as early March, victims are receiving these demands through the U.S. Postal Service. The letters have a return address of "BianLian Group" that routes back to Boston.

"We have not yet identified any connections between the senders and the widely-publicized BianLian ransomware and data extortion group," the FBI's Internet Crime Complaint Center assured readers in a public service announcement.

The letters are typically addressed to corporate executives and stamped "Time Sensitive Read Immediately."

Inside, the letters claim that BianLian has stolen sensitive data files from the victim organization and threatens to publish the data on BianLian's leak sites if the victim fails to pay the ransom demand. The letter even includes a QR code linked to a Bitcoin wallet and demands that the victim pay between $250,000 and $500,000 within ten days of receipt.

Notably, the letters have not included any proof of stolen information.

"It is highly unusual and highly unlikely that a real foreign ransomware group would send hard copy letters through the USPS. I have personally reviewed the letters and discussed the situation with some of the victim organizations and the FBI. The consensus reached was that these extortion attempts were most likely hoaxes," John Riggi, AHA national advisor for cybersecurity and risk, said in an AHA alert on the subject.

"If a healthcare organization receives such a letter it is recommended that they contact their local FBI office and have a report filed with the agency. It is also recommended that the letter and accompanying envelope be handled minimally and preserved in a larger paper envelope for possible fingerprint and forensic examination by law enforcement."

Hazel Hawkins Memorial Hospital (HHMH), a California hospital, said that it received a ransom demand via mail that claimed that an unauthorized party had access to HHMH information systems.

HHMH said it immediately contacted authorities to assess the threat and confirmed that there was no evidence that the letter was tied to an actual ransomware attack. HHMH also did not find any indicators of compromise within its IT environment.

"Information privacy and security are among our highest priorities. Upon learning of this event, we moved quickly to investigate and assess the security of our systems," HHMH CEO Mary Casillas said in a media statement. "We are confident that no data compromise occurred."

The FBI encouraged companies to notify corporate executives of the scam and ensure that employees are educated on how to handle a ransom threat.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.