{"id":2211,"date":"2025-03-05T17:39:44","date_gmt":"2025-03-05T17:39:44","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2211"},"modified":"2025-03-05T17:39:44","modified_gmt":"2025-03-05T17:39:44","slug":"ransomware-goes-postal-us-healthcare-firms-receive-fake-extortion-letters","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2211","title":{"rendered":"Ransomware goes postal: US healthcare firms receive fake extortion letters"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>In late February, healthcare organizations across the US started receiving extortion demands by mail claiming that their organization\u2019s data had been stolen in a ransomware attack and giving them 10 days to respond.<\/p>\n<p>According to the letters, printed on paper and delivered in envelopes purporting to be from the BianLian ransomware group, the data would be leaked unless the organization paid a ransom of between $250,000 to $350,000 in Bitcoin.<\/p>\n<p>Now for the good news: the breaches never happened, and the letters are almost certainly fake. Two security vendors that have studied the letters, Arctic Wolf and Guidepoint Security, now believe that the whole letter-writing campaign is a ruse by someone pretending to be BianLian, one of the ransomware industry\u2019s <a href=\"https:\/\/www.csoonline.com\/article\/1312926\/bianlian-group-exploits-teamcity-again-deploys-powershell-backdoor.html\">up-and-coming threat groups<\/a>.<\/p>\n<p>Targeting healthcare organizations, the strange incident is a reminder that ransomware today is really two industries: a larger one that carries out the serious ransomware attacks everyone hears about and a much smaller and less well publicized one that tries to impersonate them.<\/p>\n<p>But how can organizations distinguish a real attack with menaces from an entirely simulated one?<\/p>\n<p>Judging from published examples, not easily, at least for a non-expert. The letters had Boston postmarks and a city center return address, links to Tor data leak sites associated with BianLian and, in two cases, an example of what was claimed to be a compromised password.<\/p>\n<p>\u201cWe are not a politically motivated group and we want nothing more than money. Our industry only works if we hold up our end of the bargain,\u201d stated the attackers in a <a href=\"https:\/\/www.guidepointsecurity.com\/blog\/snail-mail-fail-fake-ransom-note-campaign-preys-on-fear\/\">letter analyzed by Guidepoint Security<\/a>.<\/p>\n<p>\u201cIf you follow our instructions and pay the full requested amount on time, all of your company\u2019s data will be permanently destroyed and none of it will ever be published,\u201d the letter continued.<\/p>\n<h2 class=\"wp-block-heading\">Something phishy<\/h2>\n<p>A clue that something is amiss is simply that the attackers would use a letter to communicate. There is no record of this tactic being deployed before by organized ransomware groups such as BianLian and for good reason: sending demands by post is uncertain and very slow.<\/p>\n<p>Letters sent to multiple organizations were also identical to one another, <a href=\"https:\/\/arcticwolf.com\/resources\/blog\/self-proclaimed-bianlian-group-uses-physical-mail-to-extort-organizations\/\">Arctic Wolf noted<\/a>, apart from small variations tailoring text for each recipient. This is the same tactic used by random email attacks and smacks of opportunism. They also refused to negotiate and offered no channel to do this. In ransomware circles, that is almost unheard of.<\/p>\n<p>That said, sending demands by letter does have a useful characteristic: they won\u2019t be filtered by spam systems which makes them more likely to be read by someone.\u00a0 It\u2019s a form of social engineering in which if even one company falls for the tactic out of a thousand letters, the pay day will make it worth the effort.<\/p>\n<p>If stolen credit cards are used to pay for the postage costs, it\u2019s probably also cheap or even free with the letters themselves sent via print-to-mail services that feed them to the US Postal Service.<\/p>\n<h2 class=\"wp-block-heading\">Phantom extortion<\/h2>\n<p>Ransomware impersonation is nothing new. In 2019, organizations across the US <a href=\"https:\/\/www.coveware.com\/blog\/2019\/11\/19\/phantom-incident-extortion-scam-threatens-release-of-corporate-pii\">reportedly received emails<\/a> deploying the same fake breach <em>modus operandi<\/em> as the recent letter writers \u2013 \u2018<em>pay up now because we have your data\u2019.<\/em> In truth, such campaigns are probably commonplace but are dismissed as obvious ruses and rarely reported on.<\/p>\n<p>However, by 2023 the tactic had <a href=\"https:\/\/ransomware.org\/blog\/could-your-ransomware-attack-be-a-phantom\/\">evolved into something<\/a> more sophisticated with a separate campaign backing up its bogus threats by attaching snippets of genuine data culled from dark web trawls. This raises a disturbing possibility: the organization <em>has <\/em>been breached but the group threatening them is not one who carried out the attack.<\/p>\n<p>Underlying all this is how organizations should defend themselves in practical ways against yet another fraud tactic.<\/p>\n<p>\u201cAttacks like this are unlikely to succeed in the majority of cases, but the perpetrators only have to have a small number of victims fall for it for it to be a big pay day for them,\u201d cybersecurity expert Graham Cluley said via email.<\/p>\n<h2 class=\"wp-block-heading\">Developing defenses<\/h2>\n<p>The first line of defense against this type of attack is simply to develop a process to deal with it, he said. Incidents like this should be reported internally to increase awareness of the scammers\u2019 techniques. At the same time, every ransom threat should be reported to the IT team as well as to the security companies supporting the organization.<\/p>\n<p>Attackers would typically include evidence that data has been exfiltrated in the form of genuine data. However, organizations need to be careful they aren\u2019t being tricked:<\/p>\n<p>\u201cThese protocols include verifying the authenticity of any ransom demands. It is important to establish whether that data could have been stolen in an earlier data breach or may have been collected from a different third-party source,\u201d said Cluley.<\/p>\n<p>Cluley also stressed the need for organizations to have a response plan that could assess the possibility of a breach itself while engaging with law enforcement.<\/p>\n<p>\u201cThere should be named members of staff in your plan who coordinate communications with any potential extortionist, who ensures that all relevant departments are involved in any important decisions. Make sure that you engage with law enforcement. If you have received a fake ransom snail-mail, chances are that other businesses have as well,\u201d said Cluley.<\/p>\n<p>Ransom demands are always designed for their shock value, agreed John Shier, Field CISO at security vendor Sophos. Sending a demand by letter was unusual but that might be the point.<\/p>\n<p>\u201cTeams need to bring awareness of this latest scam to their leadership. If an organization receives a letter, they shouldn\u2019t panic, but they still need to investigate if there is any basis to the claim,\u201d he said.<\/p>\n<p>\u201cAt the very least, companies should review network logs for any unauthorized access and large data transfers that don\u2019t conform to normal patterns. While it appears that the letters are fake, some due basic diligence needs to be performed to rule out a data breach,\u201d he said.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>In late February, healthcare organizations across the US started receiving extortion demands by mail claiming that their organization\u2019s data had been stolen in a ransomware attack and giving them 10 days to respond. According to the letters, printed on paper and delivered in envelopes purporting to be from the BianLian ransomware group, the data would [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":2212,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2211","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2211"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2211"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2211\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2212"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2211"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2211"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2211"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}