In May 2025, Barracuda reported on a new phenomenon – scammers sending physical letters with ransom demands. Victims, mainly in the healthcare sector, receive correspondence signed by purported representatives of the ransomware group BianLian. The letters contain threats to expose data and a QR code to pay the ransom. This type of action is a novel combination of digital and analog methods, aimed at causing severe stress and a quick response.
Key findings
-
Fake ransom demand letters hit companies via snail mail
-
Criminals are impersonating well-known ransomware groups, including BianLian
-
The letter includes requests for payment in Bitcoins and a QR code
-
Lack of technical evidence of violation indicates attempted fraud
Table of contents
-
New form of attack: letter instead of e-mail
-
Analysis of letter content and methods of action
-
Is it really the BianLian group?
-
How to protect your business – Barracuda recommendations
-
Summary and recommendations
1. new form of attack: letter instead of e-mail
Cybercriminals are increasingly turning to non-obvious ways to confuse victims and bypass digital security filters. A physical letter evokes more emotion than an email – it looks serious and can be taken as a real threat. By including a QR code in the letter, the victim can quickly move on to payment without analyzing the threat. This approach is based on time pressure and a sense of helplessness in the recipient.
2. analysis of letter content and method of action
The letters include demands for payment of large sums in Bitcoin, allegedly in exchange for non-disclosure of data. Criminals threaten to disclose employee or patient data, even though they have no evidence of actually obtaining it. The threats are phrased in a manner reminiscent of professional ransomware operations, which can be misleading. The lack of technical details, server addresses or examples of data suggests that this is a phony extortion attempt.
3. is it really the BianLian group?
The BianLian group is known for its sophisticated attacks, exploiting vulnerabilities in systems and actual data theft. In the case of the fake letters, none of these features have been confirmed. Also missing is the typical communication infrastructure of the group, such as encrypted chat rooms or payment pages. This indicates that the letter writers are impersonating BianLian, hoping for name recognition in the media.
4 How to protect your business – Barracuda recommendations
Cyber security today is not only protection against digital attacks, but also against social engineering fraud attempts. Barracuda recommends conducting regular training for employees, especially those in the administrative and management departments. It’s also worth implementing procedures for responding to unusual situations, including receiving a physical ransom demand. It is crucial to quickly analyze the situation and report the matter to the appropriate services.
5 Summary and recommendations
New threats require new ways of thinking – it’s not just firewalls or mail scanners that can protect a company today. Traditional mail can become a vehicle for cyber fraud, so every unusual message should be carefully scrutinized. Working with a technology partner, such as Barracuda, provides not only protection tools, but also support in analyzing threats and responding to incidents. The key to security is vigilance, education and a comprehensive approach to cyber security issues.