Cybersecurity Advisory – Mail Scam Targeting Executives Claims Ties to Ransomware

Impact: All Member Firms

FINRA members should review this information with senior executives and information security personnel to alert them to the scheme.

On March 6, 2025, the Federal Bureau of Investigation (FBI) issued an alert advising of an ongoing scam involving letters delivered in the mail from unidentified criminal actors to corporate executives, claiming to have come from a ransomware group.

Stamped “Time Sensitive Read Immediately,” the letter claims the “BianLian Group” gained access to the organization’s network and stole thousands of sensitive data files. The letter then goes on to threaten that the victim’s data will be published to BianLian’s data leak sites if recipients do not use an included QR code linked to a Bitcoin wallet to pay between $250,000 and $500,000 within 10 days from receipt of the letter, claiming the group will not negotiate further with victims.

The FBI has assessed the letters are an attempt to scam organizations into paying a ransom. The letter contains a U.S.-based return address of “BianLian Group” originating from Boston, MA. The FBI’s alert stated no connections have yet been identified between the senders of the letters and the widely publicized BianLian ransomware and data extortion group.

As previously shared by FINRA, malicious QR codes can be a vector for network intrusion and individuals should be cautious about scanning QR codes from unknown verified/known entities.

FINRA is not aware of any member firms being specifically targeted by this activity.

Recommendations to Protect Your Firm

To protect against this scheme, FINRA recommends the following actions.

• Notify senior executives and information security personnel at the firm of the scam for awareness.
• Ensure your incident response plan addresses, and employees are trained, in how to respond to a ransom threat.
• If your firm receives one of these letters, contact the FBI immediately to report the incident, and review your firm’s network defenses for any signs of malicious activity.
• Although the FBI has assessed this scheme does not appear to be linked to the actual BianLian ransomware group, the FBI has previously published an advisory that provides details on the tactics, techniques and procedures associated with the BianLian group.

Questions related to this Advisory or other cybersecurity-related topics can be emailed to the FINRA Cyber and Analytics Unit (CAU).

FINRA asks member firms to report any instances of this or similar schemes to your Risk Monitoring Analyst. Additionally, both the FBI and the Cybersecurity & Infrastructure Security Agency (CISA) urge organizations to promptly report cyber incidents to a local FBI Field Office or the FBI Internet Crime Complaint Center (IC3) at IC3.gov, and to CISA via CISA’s 24/7 Operations Center ([email protected] or 888-282-0870).

Note: This Advisory does not create new legal or regulatory requirements or new interpretations of existing requirements, nor does it relieve members of any existing obligations under federal securities laws and regulations. Members may consider the information in this Advisory in developing new or modifying existing practices that are reasonably designed to achieve compliance with relevant regulatory obligations based on a member’s size and business model.

If you would like to add or change who receives this email, please update your firm’s Chief Executive Officer, Chief Information Security Officer (CISO), Chief Compliance Officer (CCO) and/or Chief Risk Officer (CRO) contacts with FINRA.