Snailmail Is the Oldest New Ransomware Threat

Ransomware extortionists have a new tactic that seems old-fashioned: snailmail. Letters are sent through the postal system to company managers demanding ransom payments without actually infiltrating their systems or deploying malware.

Jessica Lyons reports in The Register that several such letters have been sent to targeted companies, falsely claiming that sensitive data has been stolen.

The letters, allegedly from the BianLian ransomware group, demand Bitcoin payments of $250,000 to $350,000 and threaten to release the data if the payment isn’t made.

GuidePoint analysts are confident that these extortion attempts are not genuine and are not linked to the real BianLian ransomware group. One noted that the physical letter tactic resembles recent “sextortion” scams, where bad actors use social engineering to create a sense of urgency.

Unlike email-based threats, physical letters bypass spam filters, increasing the recipient’s likelihood of seeing them. The letters are marked “TIME SENSITIVE READ IMMEDIATELY” and bear real stamps, adding to their apparent legitimacy.

The letters claim that company networks have been breached and sensitive data, including customer and employee information, financial records, and legal documents, has been stolen.

The senders state that the ransom is non-negotiable and warn against involving law enforcement. None of the targeted companies are known to have paid the ransom.

The FBI and cybersecurity firms like Palo Alto Networks have issued advisories on this snailmail scam, advising recipients to report the letters rather than respond to them. GuidePoint thinks the scammers may be working a list of recipients’ addresses from “historical leaks or compromises.”

Lawyers should be aware of this tactic and advise clients to establish protocols for handling suspicious correspondence. If a letter is received, it should be reported to law enforcement. Additionally, firms should consider monitoring for potential data leaks that could be used to target their staff or clients.