Skip to content

Latest commit

 

History

History
144 lines (76 loc) · 9.59 KB

2025-03-04-group-likely-impersonating-BIanLian.md

File metadata and controls

144 lines (76 loc) · 9.59 KB

2025-03-04 (Tuesday): Group Claiming to Be BianLian Sends Paper-Based Extortion Letters via Postal Service

Author

  • Richard Emerson

References

Notes

We are investigating paper-based extortion letters mailed through the postal service to multiple executives at US-based organizations. These letters claim to be the threat actor we track as Bitter Scorpius, publicly known as BianLian. However, we currently have no evidence confirming this is actually BianLian. In the letters, the threat actor demands a ransom to prevent the disclosure of allegedly exfiltrated data. The letter instructs payment within 10 days to a Bitcoin wallet address listed in the letter, or else the threat actor will leak the stolen data on the BianLian leak site. The letter lists TOR links for BianLian’s leak site to add legitimacy to the claims. Extortion amounts range from 200,000 to 500,000 US dollars, and the Bitcoin wallets have differed in each letter.

While BianLian has at times used phone calls to pressure victims into paying the ransom, several aspects of these letters suggest they are not the actual threat actor known as BianLian, but an imposter.

These letters did not provide a means to contact the threat actor for negotiations, which is often a central piece of any extortion note. Additionally, the letters did not provide any evidence data was actually exfiltrated, which is sometimes provided with an extortion note or during further contact with the threat actor. Finally, the organizations targeted were not aware of any active or recent incidents involving data exfiltration the letters could be referring to.

Additionally, the composition of the extortion note differs significantly from more recent notes dropped by BianLian in confirmed incidents (see examples below). Previously confirmed Bianlian extortion notes instruct victims to contact the threat actor using Tox messenger or via an Onionmail account. Furthermore, the actual BianLian group has at times provided evidence of specific folders or systems exfiltrated in the extortion note itself. Finally, the language in BianLian notes uses more broken English than the relatively well-formatted and well-written paper-based letters we have investigated.

Unit 42 will continue to monitor the situation, and we recommend organizations contact law enforcement if they receive one of these physical letters.

Example of Recently Confirmed Extortion Note from BianLian Ransomware (Published in CISA Advisory)

This report is left in <redacted> internal network.

Just by quickly reviewing your files we found confidential data. The files on your desktop are of that kind.

Leaking of folders like "Personal Data" is a disclosure of personal and medical information of people that intrusted you to keep it. If this leak will take place they will have to monitor their credit history and identity theft for next 3 years.

Folders like "Business files" discloses detailed financial information, supply chain and other business information. Company competitors would be interested to get it.

Spreading files like 'SQL' discloses all the company information exfiltrated from SQL data bases. 

Files <redacted> is screenshot made while operating in your network. It's only an example of one among many others that we have made as proof of our job, and as a proof of vulnerability of your network.

File <redacted> is a screen shot made from opened email archive. 

Those are just examples for you to understand your near prospect.

FAQ.

- Who are you?

- BianLian team. Financial motivation only.

Our website: hxxp://bianlianlbc5an4kgnay3opdemgcryg2kpfcbgczopmm3dnbz3uaunad[.]onion (access through tor browser)

Mirror: hxxp://bianlivemqbawcco4cx4a672k2fip3guyxudzurfqvdszafam3ofqgqd[.]onion

- What will happen next?

Path number 1:

  In 3 days we will start emailing and calling your partners and employees with notes of your company's breach and announce this data leak at our website.

  During this time your data will be sorted and prepared to be published.

  After that your data will be uploaded, your competitors, partners, clients, authorities, lawyer and tax agenesis would be able to access it. We will start mailing and calling your clients. 

 Or that will not happen, If we will close this deal in time!!! 

- What should i do? 

  Embrace it and pay us. After that your data will be erased from our systems, with proof's provided to you. Also you might request your network improvement report. 

- What should i NOT do? 

  1. Don't do any silly things, don't treat it lightly too. We got proofs that your data was kept with a number of data security violations of data breach laws. The penalty payments would be huge if we will anonymously sent our briefs and notes about your network structure to the regulators. 

  2. Based on your position in the company call your management to speak. DO NOT try to speak speak instead of your superiors, based on our experience, that may lead to disaster. 

  - Why this happened?

  - Your network and data were not secure enough. We took advantage of it. 

  - What else should i know: 

  Our business depends on the reputation even more than many others. If we will take money and spread your information- we will have issues with payments in future. So, we will stick to our promises and reputation. That works in both ways: if we said that we will email all your staff and publicly spread all your data- we will. 

Contact us using "Tox" messenger. 

The contact of the user that you should add for further instructions: 88A612B3887D57A7FA3D48F5E3EDF952E4BE48E0972FC6456FBBCFF198CC8620E5609ED2D598 

Link to download "Tox" messenger: hxxps://github[.]com/qTox/qTox/releases/download/v1.17.6/setup-qtox-x86_64-release.exe 

Alternative way: N0torious@onionmail[.]org 

Your ID: <redacted>

Now you should contact us.

Link to CISA Advisory

Text From a Recent Paper-Based Letter Received by a US Organization

Dear REDACTED,

I regret to inform you that we have gained access to REDACTED systems and over the past several weeks have exported thousands of data files, including sensitive client information including payment details, employee information including IDs, SSNs, payroll reports, and other sensitive HR documents, company financial documents, legal documents, invoices, and tax documents.

How did this happen?

Your network is insecure and we were able to gain access and intercept your network traffic, leverage your personal email address, passwords, online accounts and other information to social engineer our way into REDACTED systems via your home network with the help of another employee. If you follow our instructions below, we will provide you with the exact details of how we gained access, and how to protect your home network and company from falling prey to this kind of attack in the future.

**What do we want? **

We require $500,000 in Bitcoin paid to the address below within 10 days of receipt of this letter. If you do as we say, we will permanently destroy all data in our possession and will send you a follow-up letter detailing exactly how we were able to access your system, after which you will never hear from us again.

If you do not comply, all of REDACTED sensitive data will be published to our TOR darknet sites, sent to all interested supervisory organizations and the media, distributed via email to all your investors, partners, customers, employees, and other relevant parties, and you can expect collective lawsuits as we will invite various law firms to take up a group case.

What guarantees we will do what we say?

We are not a politically motivated group and we want nothing more than money. Our industry only works if we hold up our end of the bargain. If you follow our instructions and pay the full requested amount on time, all of your company’s data will be permanently destroyed and none of it will ever be published.

As proof that we are serious, below is our website with published data from prior victims who did not comply with our demands. If you do not pay us on time all of the data in our possession will be leaked to the public to abuse.

  • Download and install Tor Browser from this website: hxxps://www[.]torproject[.]org
  • Open one of the below links in Tor Browser
    • bianlianlbc5an4kgnay3opdemgcryg2kpfcbgczopmm3dnbz3uaunad[.]onion (Main)
    • bianlivemqbawcco4cx4a672k2fip3guyxudzurfqvdszafam3ofqgqd[.]onion (Backup)

What should you do now?

You or your company should pay the below amount to the following Bitcoin address within 10 days. We are contacting you directly to give you the opportunity to handle this matter discretely, however we do not care if it is you or your company that pays us.

Required Amount: $500,000 Bitcoin Payment Address: REDACTED Bitcoin Payment QR Code:

REDACTED

Important

Do not go to the police or the FBI for help. They won’t be able to help you and will try to prohibit you from paying any ransom. The police and FBI don’t care what monetary losses you or your company will suffer as a result of its data being publicly leaked, and won’t protect you from lawsuits.

We no longer negotiate with victims. You have 10 days from the receipt of this letter to pay. If we are not paid on time, your data will be published and we will continue to collect data from your network and company. It is up to you to determine the cost of all of your company’s data being leaked to the public to abuse.

Sincerely,

BIANLIAN GROUP