Overview:

The U.S. Federal Bureau of Investigation (FBI) has recently released an urgent advisory pertaining to a sophisticated email-based extortion campaign.

The campaign emerged during the first week of March 2025, and reflects a concerning evolution in social engineering tactics, as the responsible party uses physical letters as a supplement to email communications.

What’s Happening:

According to the FBI, cyber criminals are leveraging a multi-channel approach. Initial cyber criminal outreach may occur via postal mail. After receiving a physical letter, victims have reported subsequent email correspondences escalating the threats.

The messages themselves say that corporate networks have been infiltrated and that the sender has managed to extract confidential information. The cyber criminals go on to demand Bitcoin ransoms in amounts of $250,000 to $500,000 USD. Public exposure of the data is threatened if payment isn’t received within a 10-day window.

What Else:

The cyber criminals have indicated that they are from the BianLian ransomware group. However, the FBI remains skeptical of this posturing, as the physical and email messages contain indicators suggesting otherwise.

The email communications in this campaign include sophisticated language constructions, which are atypical of historical BianLian communications.

Further, security analysts say that when scanned for traces of detectable artifacts, targeted organizations did not actually see network intrusions, as the extortion messages claimed that organizations would.

As a result, cyber security experts believe that the group executing this campaign is impersonating the BianLian group.

Why it Matters:

This attack matters for a number of different reasons.

  • The use of both physical letters and follow-up emails means that cyber criminals are trying to make their tactics appear more legitimate and difficult to ignore.
  • The perpetrators are leveraging the BianLian name to give their scam credibility. Not only does this complicate efforts to track and monitor cyber crime, but it also means that victims may waste time and effort trying to prevent a threat that isn’t serious/doesn’t exist.
  • The Bitcoin demand puts pressure on organizations financially and could, in theory, lead to financial losses.
  • This alert highlights the dynamic and evolving nature of cyber threats and the need for organizations to remain vigilant.

Preventing Email Impersonation Threats:

Security agencies recommend pursuing the following.

1. Implement a rigorous threat verification process. Establish protocols for determining the legitimacy of ostensible network compromises. In so doing, conduct forensic examinations and cross-reference claimed indicators of compromise against system logs.

2. Strengthen email security. Deploy a comprehensive, advanced system that can identify social engineering attempts. Apply custom policies and specific protocols for high-value email accounts.

3. Secure remote access infrastructure. Deploy strong authentication mechanisms for all network entry points. In addition, implement network segmentation to contain potential compromises.

4. Monitor data movement channels. Deploy solutions to detect anomalous data transfer patterns. Implement controls on outbound traffic to unauthorized destinations. Establish behavioral baselines for normal access patterns.

How Check Point Harmony Email & Collaboration Operates:

For comprehensive protection against evolving email-based extortion and impersonation threats, Check Point's Harmony Email & Collaboration provides the multi-layered security framework necessary to identify, contain, and neutralize these attacks before they impact your organization.

Get a product demo and/or contact our experts today to learn how Check Point can help secure your email communications against sophisticated impersonation and extortion attempts.