FBI Warns of Fake Ransomware Extortion Letters Targeting US Executives

A new wave of cyber extortion is taking an old-school approach—sending ransom demands through physical mail. According to an FBI alert, an unknown scam group has been mailing fraudulent ransomware extortion letters to corporate executives, particularly in the healthcare sector, in an attempt to scare organizations into paying massive ransoms.

Fake Ransomware Threats Sent via Snail Mail

Over the past two weeks, executives across the United States have been receiving letters stamped “Time Sensitive Read Immediately,” allegedly from the BianLian ransomware group. The letters claim that the recipient’s company has been hacked, with thousands of sensitive files stolen. The scammers then demand a ransom between $250,000 and $500,000, instructing victims to scan an enclosed QR code linking to a Bitcoin wallet.

However, according to both the FBI and cybersecurity firm Arctic Wolf, these threats appear to be completely fake. No evidence suggests that the targeted organizations were actually breached. Instead, the letters are part of an elaborate fear-driven scam designed to pressure businesses into paying for a non-existent attack.

What the Fraudulent Letters Contain

The fraudulent letters share several key similarities:

• A US-based return address claiming to be from the "BianLian Group" in Boston, Massachusetts.
• A variation of an American flag ‘Forever’ stamp on the envelope.
• Claims that the company’s systems were breached using social engineering tactics.
• A QR code linking to a Bitcoin wallet for ransom payments.
• References to Tor sites allegedly hosting stolen company data.
• In some cases, a previously compromised password is included to add a false sense of legitimacy.

Arctic Wolf notes that all the letters appear to be based on a single template, with only minor modifications. Furthermore, the wording and tone of these extortion attempts are drastically different from the real BianLian ransomware group’s past communications, further proving that these letters are fraudulent.

FBI: “Do Not Pay the Ransom”

The FBI and cybersecurity experts strongly advise organizations not to pay the ransom and to report any received letters immediately. Paying the scammers not only wastes money on a fake threat but may also encourage further extortion attempts.

Organizations that receive these letters should:

1. Report the incident to the FBI’s Internet Crime Complaint Center (IC3) or local law enforcement.
2. Avoid scanning the QR code or interacting with any links in the letter.
3. Conduct a security audit to confirm that no actual breach has occurred.
4. Educate employees about these scams to prevent panic and potential financial losses.

Why this Tactic is Different

While email-based ransomware extortion tactics are common, this physical mail approach is unusual. By sending a tangible letter, the scammers attempt to make their threats feel more serious and urgent. Many executives, unfamiliar with cyber threats, might panic and comply without verifying the legitimacy of the claims.

The Bottom Line

This scam highlights the evolving tactics cybercriminals use to exploit fear and deception. Even though no actual ransomware attack has occurred, organizations must stay vigilant against social engineering tactics and fraudulent extortion attempts.

If you or your company receive such a letter, do not engage with the sender— instead, report it to the authorities and focus on strengthening your cybersecurity defenses.