By Greg Freeman
Executive Summary
Healthcare organizations have received ransom extortion demands by postal mail. This is thought to be the first time data-related extortion demands have been delivered this way.
- No data is thought to have actually been compromised.
- The delivery method is an attempt to subvert common security measures.
- Staff should be trained to watch for demands sent in any format.
Healthcare organizations across the country recently received extortion demands through the mail claiming that their organization’s data had been stolen and demanding $250,000 to $350,000 in Bitcoin within 10 days.
The paper ransomware claimed to be from the BianLian group and said the data would be leaked unless the organization paid. The FBI determined that the letters had no verifiable connection to BianLian, and recipients reported their analyses showed no actual data breach had occurred. (The FBI notice is available online at https://bit.ly/3FC8Gu6.) Although data were not compromised, security experts say the novel use of postal mail to deliver ransomware is significant.
No one expected such a low-tech way to deliver a ransom demand, says Andrew Lokenauth, a business executive in Tampa, FL, who has held positions across institutions such as JP Morgan, Goldman Sachs, and Citi. He is the founder of TheFinanceNewsletter.com.
“When I first heard about ransomware threats coming through snail mail, I thought someone was joking. But nope — it’s happening, and it’s pretty clever, in an evil genius sort of way,” he says.
Lokenauth finds the incidents concerning because healthcare staff have gotten good at spotting sketchy emails and suspicious links. They will think twice before clicking random attachments. But a physical letter is different, he says.
Most people just open their mail without thinking twice, and that is exactly what these attackers are counting on, he says.
“I’ve noticed a disturbing pattern in my security consulting work. The more we lock down digital channels, the more creative these criminals get,” he says. “They’re like water finding new cracks to seep through. Using postal mail is actually brilliant, from their perspective. It completely bypasses our expensive email filters and security systems.”
Lokenauth worked with a medical center that received one of these threats. Their staff were totally thrown off because it did not match anything in their security training, he says.
“The letter looked official, used proper letterhead, and was professionally written,” he says. “No Nigerian prince stuff here.”
The psychology behind this old-school approach is interesting, he says. Physical mail feels more legitimate and urgent than email, he says. Additionally, there is something extra threatening about a ransom note you can hold in your hands. It is personal in a way that electronic threats are not, he says.
“From my analysis, this signals a broader shift in ransomware tactics. These groups are adapting, combining high-tech attacks with low-tech delivery methods,” Lokenauth says. “I’ve seen them using phone calls, (Short Message Service), and now postal mail to initiate contact. They’re basically throwing everything at the wall to see what sticks.”
Lokenauth says he expects to see more hybrid approaches like this. Firewalls and antivirus software still are crucial, but healthcare organizations should include education on physical security threats and old-school social engineering, he says.
But the solution is not only about adding “check your mail” to security protocols, he says.
“It’s about fundamentally rethinking how we approach threat awareness,” he says. “In my experience, the organizations that adapt fastest are the ones that survive.”
Healthcare organizations should assume threats can come from anywhere — digital or physical, he says. The lines between cyber and physical security are disappearing, and training needs to reflect that reality, he says.
The costs of ignoring this could be massive, Lokenauth says.
“One healthcare org I worked with lost $500,000 because they weren’t prepared for this kind of attack vector,” he says. “Their staff knew exactly what to do with suspicious emails but had zero protocol for physical threats.”
He recommends expanding security awareness training immediately, reminding staff that ransomware threats are not limited to their email inbox.
“Maybe we need to start treating the office mailroom with the same security mindset as our email servers,” Lokenauth says.
Ransomware delivered through the U.S. postal mail is “a startling evolution,” says Rafay Baloch, CEO and founder of REDSECLABS, a cybersecurity company in London, United Kingdom.
“This isn’t just a new tactic. It’s a paradigm shift. Attackers are not only operating within the digital domain, they are using physical entry points to overcome even the most sophisticated of defenses,” he says. “It is a chilling reminder that cybersecurity is not only about firewalls and encryption, it is about behavior and trust of humans.”
The perpetrators used snail mail because it is effective, he says. The employees are trained to identify phishing emails but not suspicious packages. The mailroom is now on the front lines of your organization’s cybersecurity, he says.
“This hybrid approach targets our weaknesses by using the primary trust that we place in physical mail. It is a rather sneaky way to get around the digital safeguards and demonstrates that ransomware threats are only going to get more inventive and deadly,” Baloch says. “It underscores the importance of organizations to revisit their security measures. Training of the staff has to extend from digital threats to include physical threats as well. Establish procedures for examining the mail and especially for any unexpected packages or letters that are received.”
Exploiting Trust of Mail
Cybercriminals are reverting to physical mail to exploit the deep-rooted trust people still associate with traditional communication channels, says Rick Popko, executive director of threat research at SonicWall, a cyber security company in Milpitas, CA. While phishing emails are now met with a healthy dose of skepticism, physical letters often slip past that same level of scrutiny, he says.
“Ironically, even with the daily flood of junk mail, recipients tend to give physical letters more attention simply because digital threats have dominated security awareness training. By using the mail, attackers sidestep electronic filters and social engineering detection systems — while leveraging the psychological weight of something tangible and personalized,” he says. “It’s a deliberate tactic designed to provoke urgency and trust, precisely because physical mail still feels more credible and less threatening.”
The threat landscape is constantly evolving, and this shift to physical mail is just the latest example of how attackers adapt their tactics as defenses improve, he says. “We’ve seen this pattern before, from phishing to smishing, from ransomware to double extortion. Threat actors consistently pivot to whatever gets results. If they’re now turning to physical mail, it likely means this method has already proven effective or profitable,” Popko says. “Attackers don’t waste time on unproven tactics. They rely on what works. This underscores the need for security strategies that go beyond digital defenses and account for all threat vectors, including those we once considered outdated.”
This tactic signals a degree of creativity, says Jeff Le, managing principal at 100 Mile Strategies, a public sector navigation, communications, and policy consultancy in New York City. Before consulting and industry, he was deputy cabinet secretary for the State of California under former Gov. Jerry Brown where he addressed cyber threats.
“The letters are physical, slow, and maybe the last thing one would think would be from a ransomware group. It’s a low cost and maximum outreach tactic, which can’t be siphoned by digital filters and blockers. The move also reminds us that the vulnerability in many cybersecurity postures (is) people.”
It only takes one target to pay and make the effort profitable, Le says. The mail also creates fear, and that is a strategy in itself. Le also notes that the healthcare space still uses snail mail to conduct notifications, so there is an element of taking advantage of procedures and sensibilities.
“The future of ransomware is still AI (artificial intelligence)-powered offensive weapons, which, as of now, are still beneficial for the attackers,” Le says. “But curveballs like this show that the attackers are willing to try new things and exploit bad training, poor cyber culture and hygiene, and create an environment of uncertainty.”
The successful strengthening of email security measures — including advanced threat protection, multi-factor authentication, and phenomenal AI detection of anomalies — has prompted cybercriminals to revert to physical methods of penetrating security, says Jacob Kalvo, cofounder and CEO with Live Proxies, a cybersecurity company in Studio City, CA.
“Clearly, this turnaround signals a serious deficiency in the present cybersecurity training programs, as most healthcare staff are quite good at recognizing digital-based threats, yet they would not know how to conduct themselves in such scenarios when being harmed by traditional mail,” he says. “Of course, huge-revenue-generating entities, like hospitals and medical institutions without an operating continuity plan, are prime targets for ransomware attacks; hence, it would alarm one by this new approach.”
Ransomware arriving by snail mail completely avoids detection by digital security, Kalvo notes. Attackers may even send infected USB drives, optical discs, or even QR codes embedded into printed documents, which then execute malware that encrypts files and demands ransom payments, he says. Such a technique makes use of human curiosity and operational routine together with the presumption that actual deliveries are safer than digital deliveries.
Many health organizations work with multiple vendors, labs, and government agencies, thus adding to the probability of employees being lured to open a package or connect a device, Kalvo says. They assume that the item is safe because it supposedly came from a trusted business partner.
“Ransomware will have a much larger part to play in the history of importance base in prediction of future cybersecurity, which is likely not to focus only on digital security, but all other aspects of physical security as well,” he says. “Endpoint security solutions that detect unauthorized USB use should be deployed in healthcare institutions, and strict device control policies put in place.”
The mail incidents should prompt healthcare employers to push out training to employees that ransomware might be presented in various forms, says Kristen Rosati, JD, an attorney with the law firm of Coppersmith Brockelman in Phoenix. While ransomware will be electronic in the vast majority of cases, this demonstrates that it can come via snail mail or potentially through phone calls, she says.
“Snail mail doesn’t leave a digital fingerprint for forensic consultants to follow,” she says. “It’s also such an unusual vector that it is likely to take healthcare executives off guard.”
Organizations should also have a policy in place about how to respond to such deliveries, including when to get law enforcement involved, she says.
This method of delivery breaks the assumptions that most cybersecurity protocols are built on, says Conno Christou, cofounder of Keragon, a company in New York City that provides an automation platform for healthcare. Most staff are trained to spot phishing links, dodgy email attachments, and rogue USB sticks, but nobody is really thinking, “Is that USB that came in the mail from a legitimate partner?” he says.
“That’s exactly what these actors are banking on — an untrained channel. We saw two clients receive suspicious physical USBs last quarter, both addressed directly to their admin teams,” he says. “Fortunately, both had protocols that included (information technology) review of all unsolicited tech. But most don’t.”
This shift toward physical vectors is less about nostalgia and more about evasion, he says. Endpoint detection software does not scan postal deliveries, and mailroom staff are not running zero-trust policies.
“It’s a blind spot,” Christou says. “And it works because healthcare is complex, with lots of vendors and lots of physical documents still moving around, especially in older institutions.”
Most threats still arrive digitally, but the playbook is expanding, he says. And if ransomware is getting creative, the response has to move faster.
“Future threats won’t stay in one format. Security has to be layered, dynamic, and practical,” Christou says. “Tell your teams that, if it comes in the mail and plugs into a port, treat it like a cyber threat. Because that’s exactly what it is.”
As long as the postal mail is only a ransom demand, organizations probably can quickly determine if there is a real threat, says Kurt Osburn, a director with the risk management and governance team at NCC Group, a cyber security company based in Manchester, United Kingdom. He is based in the Orlando, FL, area. They can determine whether there has been any unusual activity suggesting a possible data breach.
If not, a ransom letter can be dismissed, he says. “I think if you had seen this maybe two or three years ago, this might have raised some issues, but I really think that the healthcare industry in North America is really on high alert,” Osburn says. “They may not all be totally defended electronically, but they’re on high alert for anything that looks strange or unusual or is off the mark.”
Scam Within a Scam
Fortunately, the letters received recently are only an attempt to fool someone into sending money rather than revealing an actual data breach, says Melissa M. Crespo, JD, partner with the Morrison Foerster law firm in Washington, DC.
“It’s a scam within a scam — a bad actor trying to trick companies into paying a ransom when there has been no actual data extortion,” he says. “Despite this not being a legitimate security threat, and postal mail being an unlikely avenue that legitimate threat actors will ever pursue in connection with a cybersecurity attack, it’s always important to ensure staff are up to date on the evolving threat landscape and that they understand the process for identifying potential threats and alerting the right stakeholders, who can further investigate and respond to these potential threats.”
Crespo says it is likely that this was done by an unsophisticated actor making a low stake attempt to extort victims who are not particularly experienced with cybersecurity issues. Real ransomware or data extortion incidents typically involve back and forth communication with a threat actor, including the threat actor providing some affirmative evidence that what they say they have done is true, she notes.
“Here, these letters look potentially legitimate and could scare some companies into making a payment, despite there being no actual evidence of a security breach or data compromise,” Crespo says. “I don’t think this indicates any shift in the actual ransomware landscape, but, again, affirms the need for companies to have robust cybersecurity programs that include emphasis on identifying potential threats and escalating appropriately.”
It is important to teach staff about these recent incidents, says Trevor Young, chief product officer at Security Compass, a cybersecurity company in Toronto, Canada.
“Most employees know how to spot a sketchy email or a suspicious link, but how many would think twice about opening a letter or plugging in a USB drive that arrived in the mail? Probably not many,” he says.
Since this kind of attack is not covered in most cybersecurity training, organizations need to update their awareness programs. Staff should be reminded not to plug in unknown devices and to report any unexpected mail that looks even slightly off, he says.
Why would hackers go back to using physical mail?
“A USB drive in an official-looking envelope feels a lot less threatening than a shady email, which makes it an easy way to trick people,” Young says. “Plus, healthcare workers deal with a ton of paperwork and legal documents, so they’re more likely to open something without thinking twice.”
The incidents serve as a reminder that cybersecurity is not just about protecting networks, but also about protecting people from being tricked in new ways, he says. Companies need to expand security training beyond just phishing and malware to include physical threats, he says.
“This attack method might seem unusual now, but if it works, others will copy it,” Young says. “The best defense is to stay proactive, rethink what cybersecurity really means, and always be a little skeptical — whether it’s an email or an envelope.”
The snail mail demands should not be dismissed just because there was no actual data breach, says Gyan Chawdhary, founder and CEO of Kontra, a company in London, United Kingdom, which provides a security training platform.
“This is a crucial wake-up call. We’ve spent years training staff to recognize phishing emails, suspicious links, and malware-laden attachments. However, physical mail has largely been overlooked as a potential threat vector,” Chawdhary says. “This incident highlights the need for comprehensive security awareness training that extends beyond the digital realm. Staff should be educated about the potential for malicious devices or documents to arrive via mail, and procedures should be in place to handle such situations.”
The methodology might be a psychological tactic, he says. Receiving a physical package can create a sense of legitimacy and trust, making recipients more likely to interact with it. It also may be a way to target specific individuals who are not as tech savvy or those in areas with less digital security infrastructure, he says.
“This incident suggests that ransomware attackers are becoming more creative and adaptable. They are willing to explore unconventional methods to achieve their goals,” Chawdhary says. “We need to move beyond a purely reactive stance and adopt a more proactive and holistic approach to cybersecurity. This should include strengthening physical security measures, enhancing security awareness training, and developing incident response plans that address both digital and physical threats.”
Going forward, Chawdhary says he expects to see attackers continue to innovate and exploit vulnerabilities in unexpected ways. Security efforts must be equally dynamic and adaptable, he says. We need to be prepared for the unexpected and continually reassess our defenses to stay ahead of the evolving threat landscape. The focus should shift to a “zero trust” mentality, where all devices and interactions, regardless of origin, are treated with suspicion.
“This physical ransomware delivery is a stark reminder that cybersecurity isn’t just about digital defenses,” Chawdhary says. “We must broaden our scope, train for the unexpected, and adopt a truly layered, vigilant approach to security. Expect the unexpected, and always verify.”
Sources
- Rafay Baloch, CEO and Founder, REDSECLABS, London, United Kingdom. Telephone: +44 (208) 144-9076.
- Gyan Chawdhary, Founder and CEO, Kontra, London, United Kingdom.
- Melissa M. Crespo, JD, Partner, Morrison Foerster, Washington, DC. Telephone: (202) 887-8768. Email: [email protected].
- Conno Christou, Cofounder, Keragon, New York City.
- Jacob Kalvo, Cofounder and CEO, Live Proxies, Studio City, CA. Telephone: (747) 256-8786.
- Jeff Le, Managing Principal, 100 Mile Strategies, New York City.
- Kurt Osburn, Director, NCC Group, Manchester, United Kingdom. Telephone: +44 (0) 161-209-5200.
- Rick Popko, Executive Director of Threat Research, SonicWall, Milpitas, CA. Telephone: (888) 793-2830.
- Kristen Rosati, JD, Coppersmith Brockelman, Phoenix. Telephone: (602) 381-5464. Email: [email protected].
- Trevor Young, Chief Product Officer, Security Compass, Toronto, Canada. Telephone: (888) 777-2211.
Greg Freeman has worked with Relias Media and its predecessor companies since 1989, moving from assistant staff writer to executive editor before becoming a freelance writer. He has been the editor of Healthcare Risk Management since 1992 and provides research and content for other Relias Media products. In addition to his work with Relias Media, Greg provides other freelance writing services and is the author of seven narrative nonfiction books on wartime experiences and other historical events.
Healthcare organizations across the country recently received extortion demands through the mail claiming that their organization’s data had been stolen and demanding $250,000 to $350,000 in Bitcoin within 10 days.
You have reached your article limit for the month. Subscribe now to access this article plus other member-only content.
- Award-winning Medical Content
- Latest Advances & Development in Medicine
- Unbiased Content