Microsoft Teams tactics, malware connect Black Basta, Cactus ransomware - Related to twitter, ransomware, mail, microsoft, basta,

Fake BianLian ransom notes mailed to US CEOs in postal mail scam

Scammers are impersonating the BianLian ransomware gang in fake ransom notes sent to US companies via snail mail through the United States Postal Service.

The fake ransom notes were first , with BleepingComputer later being sent a scan of the note from a CEO who received the same letter.

The envelopes for these ransom notes claim to be from the "BIANLIAN Group" and have a return address located in an office building in Boston, Massachusets:

BIANLIAN GROUP 24 FEDERAL ST, SUITE 100 BOSTON, MA 02110.

In the letter shared with BleepingComputer, the envelope exhibits it was mailed on February 25th, 2025. This mailing date is the same as the one seen by Arctic Wolf, who also reported on the scam today.

The letters are being mailed to the CEO of the companies at their corporate mailing address and show that they were processed through a postal facility in Boston, with the envelope marked, "Time Sensitive Read Immediately."

The envelopes contain a ransom note addressed to the enterprise's CEO or another executive, claiming to be from the BianLian ransomware operation. , they are tailored to the enterprise's industry, with different types of allegedly stolen data corresponding to the enterprise's activities.

For example, fake BianLian ransom notes sent to healthcare companies claim that patient and employee information was stolen, while those targeting product-based businesses allege the exposure of customer orders and employee data.

"I regret to inform you that we have gained access to [REDACTED] systems and over the past several weeks have exported thousands of data files, including customer order and contact information, employee information with IDs, SSNs, payroll reports, and other sensitive HR documents, enterprise financial documents, legal documents, investor and shareholder information, invoices, and tax documents," reads a fake BianLian ransom note.

Fake BianLian ransom note sent via snail mail.

The mailed ransom notes are very different from BianLian's, but the scammers attempt to make them look convincing by including the real Tor data leak sites for the ransomware operation in the notes.

However, unlike typical ransomware demands, these fake notes state that BianLian is no longer negotiating with victims. Instead, the victim has 10 days to make a Bitcoin payment to prevent data from being leaked.

Each ransom note includes a ransom demand ranging between $250,000 and $500,000, a freshly generated Bitcoin address to send payment, and a QR code for the Bitcoin address.

Arctic Wolf stated that all healthcare organizations had their ransom demand set to $350,000, which is the same as the one shared by a healthcare enterprise with BleepingComputer, as shown below.

Payment information in fake BianLian ransom note.

Furthermore, Arctic Wolf states that two ransom notes the researchers saw included legitimate compromised passwords to add legitimacy to the demand.

"In at least two letters, the threat actor included a compromised password within the How did this happen? section, almost certainly in an attempt to add legitimacy to their claim." explained Arctic Wolf.

The consensus in the reports is that these ransom notes are fake and are only designed to scare executives into paying a ransom, as there are no signs of an actual breach.

"While GRIT cannot confirm the identity of the letter's authors at this time, we assess with a high level of confidence that the extortion demands contained within are illegitimate and do not originate from the BianLian ransomware group," explains GuidePoint Security researcher Grayson North.

However, this does not mean the emails should be ignored. Due to the widespread mailing of these notes, all IT and security admins should notify executives about the scam so that they are aware and do not waste time and resources worrying about them.

These fake ransom notes are an evolution of the email extortion scams that have become so popular since 2018. However, instead of targeting personal emails, they are now targeting the CEOs of corporations.

BleepingComputer contacted the BianLian ransomware operation to see if they were involved with these mailings, but a reply was not immediately available.

Broadcom has released security updates to address three actively exploited security flaws in VMware ESXi, Workstation, and Fusion products that could ......

Derzeit haben Angreifer Android-Smartphones im Visier und attackieren Geräte. Sicherheitspatches stehen für ausgewählte Geräte bereit. Nach erfolgreic......

Microsoft hat Windows 365 Disaster Recovery Plus vorgestellt. Zum jetzigen Zeitpunkt liegt das Disaster-Recovery-Tool als lizenzpflichtiges Add-on für......

Twitter Whistleblower Complaint: The TL;DR Version

Twitter is blasted for security and privacy lapses by the enterprise’s former head of security who alleges the social media giant’s actions amount to a national security risk.

A lately surfaced 84-page whistleblower analysis filed with the US government by Twitter’s former head of security Peiter “Mudge” Zatko last month blasts his former employer for its alleged shoddy security practices and being out of compliance with an FTC order to protect user data.

Twitter has responded alleging that Zatko is a “disgruntled employee” who was fired for poor performance and leadership. In a letter to employees Twitter’s CEO Parag Agrawal asserts that Zatko’s indicates are a “false narrative that is riddled with inconsistencies and inaccuracies, and presented without key context.”.

Here is an abbreviated overview of the allegations and Twitter’s reaction.

Zatko, a respected white-hat hacker who served as Twitter’s head of security for roughly 15 months between 2020 and 2022, accused Twitter of a litany of poor security and privacy practices that together constituted a national security risk.

Twitter is a mismanaged corporation and gives too many of its staff access to sensitive security and privacy controls without adequate oversight.

One or more Twitter employees may be working for undisclosed foreign intelligence services. This, , elevates his concerns to a matter of national security.

Nearly half of Twitter’s servers lack basic security functions, such as data encryption, because software running on them is either outdated or unpatched.

Twitter executives have prioritized growth over security as they have personally pursued massive bonuses, as high as $10 million, as incentives for the enterprise’s rapid expansion.

The business is out of compliance with a 2010 FTC order to protect clients’ personal information. Additionally, the business has lied to independent auditors of an FTC mandated “comprehensive information security program” tied to the 2010 order.

Twitter does not honor user requests to delete their personal data, because of technical limitations.

When Zatko attempted to bring these and many other security and privacy issues to Twitter’s board, corporation management misrepresented his finding and/or tried to hide the investigation.

Twitter allowed some foreign governments “… to infiltrate, control, exploit, surveil and/or censor the ‘corporation’s platform, staff, and operations,” .

Twitter does not have the resources or capacity to accurately determine the true number of fake (or bot) accounts on its platform. This question is central to a Elon Musk’s attempt to back out of buying the enterprise for $44 billion.

The thrust of Twitter’s response to Zatko is that he is a disgruntled employee, bad at his job and scapegoating Twitter for his failures. It points out that it has addressed and continues to aggressively address many of the IT security issues pointed out by Zatko.

An alleged response by Twitter’s CEO Parag Agrawal sent internally to Twitter employees was posted online.

NEW: First time Twitter CEO @paraga weighs in on whistleblower story. Sending this message to staff this morning. [website] — Donie O'Sullivan (@donie) August 23, 2022.

Meanwhile top Democrats and Republicans in Congress have reacted by promising to investigate the asserts. Sen. Richard Durbin (D-IL), chair of the Senate Judiciary Committee, confirmed he was investigating the whistleblower disclosure.

The threat actor known as Dark Caracal has been attributed to a campaign that deployed a remote access trojan called Poco RAT in attacks targeting Spa......

We’ve all heard a million times: growing demand for robust cybersecurity in the face of rising cyber threats is undeniable. Globally small and medium-......

A new malware campaign has been observed targeting edge devices from Cisco, ASUS, QNAP, and Synology to rope them into a botnet named PolarEdge since ......

Microsoft Teams tactics, malware connect Black Basta, Cactus ransomware

New research has uncovered further links between the Black Basta and Cactus ransomware gangs, with members of both groups utilizing the same social engineering attacks and the BackConnect proxy malware for post-exploitation access to corporate networks.

In January, Zscaler discovered a Zloader malware sample that contained what appeared to be a new DNS tunneling feature. Further research by Walmart indicated that Zloader was dropping a new proxy malware called BackConnect that contained code references to the Qbot (QakBot) malware.

BackConnect is malware that acts as a proxy tool for remote access to compromised servers. BackConnect allows cybercriminals to tunnel traffic, obfuscate their activities, and escalate attacks within a victim's environment without being detected.

Both Zloader, Qbot, and BackConnect are all believed to be linked to the Black Basta ransomware operation, with members utilizing the malware to breach and spread through corporate networks.

These ties are further strengthened by a recent BlackBasta data leak that exposed the operation's internal conversations, including those between the ransomware gang's manager and someone believed to be the developer of Qbot.

Black Basta is a ransomware gang that launched in April 2022. It is believed to include members of the Conti Ransomware gang, which shut down in May 2022 after suffering a massive data leak of source code and internal conversations.

The ransomware gang has historically used Qakbot to gain initial access to corporate networks. However, after a 2023 law enforcement operation disrupted Qbot's operations, the Black Basta operation has looked for alternative malware to breach networks.

The group's pivot to BackConnect points to they are still working with the developers connected to the Qbot operation.

In a new research by Trend Micro, researchers have found that the Cactus ransomware group is also utilizing BackConnect in attacks, indicating a potential overlap in members between both groups.

In the Black Basta and Cactus attacks seen by Trend Micro, the threat actors utilized the same social engineering attack of bombarding a target with an overwhelming number of emails, a tactic generally associated with Black Basta.

The threat actors would then contact the target through Microsoft Teams, posing as an IT help desk employee, ultimately tricking the victim into providing remote access via Windows Quick Assist.

While the attack flow for the Black Basta and Cactus attacks are not identical, they were very similar, with Trend Micro finding the Cactus threat actor utilizing command and control servers usually associated with Black Basta.

Cactus ransomware emerged in early 2023 and has since targeted a range of organizations using tactics similar to Black Basta's.

BleepingComputer's previous reporting on Cactus also showed links between the two ransomware gangs, with Cactus utilizing a PowerShell script called TotalExec that was often seen in Black Basta ransomware attacks.

Furthermore, the Black Basta ransomware gang adopted an encryption routine that was initially unique to Cactus ransomware attacks, further strengthening the ties between both groups.

The shared use of tactics, BackConnect, and other operational similarities, raises questions about whether Cactus ransomware is a rebrand of Black Basta or simply an overlap between members.

However, that Black Basta has been slowly fading away since December 2024, with their leak site offline through most of 2025.

It is believed that many of the Black Basta members had already begun to move to other ransomware gangs, like Cactus, with the recent data leak being the final nail in the coffin.

Google has presented an increased rollout of new AI-powered scam detection functions on Android to help protect customers from increasingly sophisticated p......

Microsoft hat Windows 365 Disaster Recovery Plus vorgestellt. Zum jetzigen Zeitpunkt liegt das Disaster-Recovery-Tool als lizenzpflichtiges Add-on für......

Google has released patches for 43 vulnerabilities in Android's March 2025 security modification, including two zero-days exploited in targeted attacks.