Ransomware poseurs are trying to extort businesses through physical letters | CyberScoop<\/title> <meta name=\"description\" content=\"The FBI is warning business leaders about the scam perpetrated by an unidentified threat group.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/physical-mail-extortion-letters-target-executives\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Ransomware poseurs are trying to extort businesses through physical letters\"> <meta property=\"og:description\" content=\"The FBI is warning business leaders about the scam perpetrated by an unidentified threat group.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/physical-mail-extortion-letters-target-executives\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2025-03-07T16:56:15+00:00\"> <meta property=\"article:modified_time\" content=\"2025-03-07T16:56:17+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/03\/ransomware-poseurs-are-trying-to-extort-businesses-through-physical-letters-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1149\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Matt Kapko\"> <meta name=\"twitter:card\" content=\"summary_large_image\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1739294329g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1741103813g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1740691656g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=a815169637cf454b7376\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/83774\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.7.2\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=83774\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fphysical-mail-extortion-letters-target-executives%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fphysical-mail-extortion-letters-target-executives%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-83774 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/physical-mail-extortion-letters-target-executives\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--event js-stickybar\">\n<div class=\"stickybar__details\" readability=\"5.12\">\n<div class=\"stickybar__info js-sticky-bar-content\" readability=\"32\">\n<p>Nominations can be submitted for the 2025 CyberScoop 50 awards!<\/p>\n<\/div>\n<p> <a class=\"stickybar__link button button-tertiary\" href=\"https:\/\/cyberscoop.com\/cyberscoop50\/\">Click here!<\/a> <\/div>\n<p> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"24.953722334004\">\n<div class=\"single-article__header-content\" readability=\"33.076923076923\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/physical-mail-extortion-letters-target-executives\/\"> <span>Cybercrime<\/span> <\/a> <\/li>\n<\/ul>\n<p> The FBI is warning business leaders about the scam perpetrated by an unidentified threat group. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/83774\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"383\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/03\/ransomware-poseurs-are-trying-to-extort-businesses-through-physical-letters.jpg?resize=640%2C383&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/03\/ransomware-poseurs-are-trying-to-extort-businesses-through-physical-letters-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/03\/ransomware-poseurs-are-trying-to-extort-businesses-through-physical-letters-2.jpg?resize=300,180 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/03\/ransomware-poseurs-are-trying-to-extort-businesses-through-physical-letters-2.jpg?resize=768,460 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/03\/ransomware-poseurs-are-trying-to-extort-businesses-through-physical-letters-2.jpg?resize=1024,613 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/03\/ransomware-poseurs-are-trying-to-extort-businesses-through-physical-letters-2.jpg?resize=1536,919 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/03\/ransomware-poseurs-are-trying-to-extort-businesses-through-physical-letters-2.jpg?resize=600,359 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/03\/ransomware-poseurs-are-trying-to-extort-businesses-through-physical-letters-2.jpg?resize=281,168 281w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/03\/ransomware-poseurs-are-trying-to-extort-businesses-through-physical-letters-2.jpg?resize=563,337 563w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/03\/ransomware-poseurs-are-trying-to-extort-businesses-through-physical-letters-2.jpg?resize=1128,675 1128w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/03\/ransomware-poseurs-are-trying-to-extort-businesses-through-physical-letters-2.jpg?resize=1409,843 1409w\" sizes=\"(max-width: 1128px) 100vw, 1128px\"><figcaption> U.S. Postal Service (USPS) trucks are parked at a post office on Aug. 23 in Glendale, California. (Photo by Mario Tama\/Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"38.044854155201\"><body readability=\"77.43460447526\"><\/p>\n<p>The FBI and threat researchers are warning executives to be on the lookout for physical letters in the mail threatening to leak sensitive corporate data. <\/p>\n<p>The letters, which are stamped \u201ctime sensitive read immediately\u201d and shipped directly to executives through the Postal Service, are part of a <a href=\"https:\/\/www.ic3.gov\/PSA\/2025\/PSA250306-2\">nationwide scam<\/a> designed to extort victims into paying $250,000 to $500,000, the FBI said Thursday.<\/p>\n<p>The unidentified criminal or threat group behind the mail scam is masquerading as <a href=\"https:\/\/www.cisa.gov\/news-events\/cybersecurity-advisories\/aa23-136a\">BianLian<\/a>, a prolific ransomware and data extortion group that has attacked multiple U.S. critical infrastructure sectors since June 2022. <\/p>\n<p>Cyber authorities and researchers have not confirmed BianLian\u2019s involvement and believe the letters are an attempt to scam organizations into paying a ransom. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cSeveral inconsistencies \u2014 such as the lack of a contact method for negotiation, absence of proof of data exfiltration and differences in writing style \u2014 suggest this is a fraudulent campaign meant to exploit fear for financial gain,\u201d said Richard Emerson, manager of reactive threat intelligence at Palo Alto Networks\u2019 Unit 42.<\/p>\n<p>Executives have received letters at their personal and business addresses including a QR code linked to a Bitcoin wallet demanding payment within 10 days. The U.S.-based return address originates from an office building in Boston.<\/p>\n<p>Arctic Wolf CISO Adam Marr\u00e9, a former special agent with the FBI, said he\u2019s aware of at least 20 extortion letters linked to this scam, but said other organizations have reported receiving the letters as well. Those observations combined with the FBI\u2019s public service announcement indicates this activity is likely widespread, Marr\u00e9 said.<\/p>\n<p>Health care executives are the most heavily targeted recipients of these letters, with each receiving extortion demands of $350,000 according to Arctic Wolf. <\/p>\n<p>BianLian previously pressured victims into paying a ransom via phone calls, but the use of physical mail for extortion is unique for the threat group and ransomware activity at large.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cA tactic like this is pretty inefficient, having an individual mail letters to organizations one by one,\u201d Marr\u00e9 said. \u201cIt also presents a unique challenge \u2014 there isn\u2019t any contact information for payment issues or correspondence.\u201d<\/p>\n<p>The analog attributes of this scam can have a chilling effect on those targeted, especially for executives who received the threatening letters at their home.<\/p>\n<p>\u201cReceiving a physical letter with a ransom demand can feel more personal and alarming than a digital threat,\u201d Emerson said. \u201cUnlike emails, which can be filtered or ignored, a letter delivered through the postal service creates a sense of direct targeting, potentially increasing the psychological pressure on recipients.\u201d <\/p>\n<p>\u201cPhysical mail adds a different layer of intimidation,\u201d he continued. \u201cIt implies that the sender has access to personal or company-related details, which could make the recipient feel more vulnerable. Additionally, physical letters can bypass cybersecurity defenses, making them harder to detect and prevent compared to email-based extortion attempts.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.854347826087\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/03\/ransomware-poseurs-are-trying-to-extort-businesses-through-physical-letters-1.jpg?w=640&ssl=1\" alt=\"Matt Kapko\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Matt Kapko<\/h4>\n<p> Matt Kapko is a reporter at CyberScoop. His beat includes cybercrime, ransomware, software defects and vulnerability (mis)management. The lifelong Californian started his journalism career in 2001 with previous stops at Cybersecurity Dive, CIO, SDxCentral and RCR Wireless News. Matt has a degree in journalism and history from Humboldt State University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/physical-mail-extortion-letters-target-executives\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Ransomware poseurs are trying to extort businesses through physical letters<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[282,78,323,669,224,46,288],"tags":[286,86,327,671,232,54,294],"class_list":["post-7429","post","type-post","status-publish","format-standard","hentry","category-cybercrime","category-cybersecurity","category-extortion","category-federal-bureau-of-investigation-fbi","category-healthcare","category-ransomware","category-threats","tag-cybercrime","tag-cybersecurity","tag-extortion","tag-federal-bureau-of-investigation-fbi","tag-healthcare","tag-ransomware","tag-threats"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybercrime\/\" rel=\"category tag\">cybercrime<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/extortion\/\" rel=\"category tag\">extortion<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/federal-bureau-of-investigation-fbi\/\" rel=\"category tag\">Federal Bureau of Investigation (FBI)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/healthcare\/\" rel=\"category tag\">Healthcare<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ransomware\/\" rel=\"category tag\">ransomware<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a>","tag_info":"Threats","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7429","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=7429"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7429\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=7429"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=7429"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=7429"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":7429,"date":"2025-03-07T10:56:15","date_gmt":"2025-03-07T16:56:15","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=83774"},"modified":"2025-03-07T10:56:15","modified_gmt":"2025-03-07T16:56:15","slug":"ransomware-poseurs-are-trying-to-extort-businesses-through-physical-letters","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/03\/07\/ransomware-poseurs-are-trying-to-extort-businesses-through-physical-letters\/","title":{"rendered":"Ransomware poseurs are trying to extort businesses through physical letters"},"content":{"rendered":"