news and blogs

Not every ransomware threat starts with a compromised account or a suspicious email. Lately, some start with something far more ordinary: a letter in the mail.

Multiple organizations have reported getting physical letters claiming to be from known ransomware groups, such as BianLian. The letters demand payment, usually in the hundreds of thousands, and threaten to release sensitive data if the demand isn’t met within a certain number of days. Whether the claims are true or not, the tactic used here is quite simple: go around the firewall and send the threat straight to someone’s desk.

The U.S. Postal Inspection Service, FINRA, and the Federal Bureau of Investigations have all issued warnings over these mailed threats. The FBI noted that thus far, there’s no confirmed link between the individuals sending these letters and the well-known BianLian ransomware and data extortion group.

This development reinforces an important message: the threat landscape continues to evolve, and so must our strategies. While universities are no strangers to digital risk, we need to consider new vulnerabilities at the intersection of physical and digital spaces. This article outlines how these mailed threats work, the gaps they expose in security, and how institutions can adapt today to stay resilient.

1. Anatomy of a Mailed Ransomware Threat

Instead of sending out phishing links or malware attachments via digital channels, an attacker sends a printed letter by way of the U.S. Postal Service. It says your systems have been compromised and it gives you a deadline. Pay up or your data goes public. 

The letters often reference specific departments and include QR codes or URLs, to make the threat feel more legitimate. In many cases, recipients scan these QR codes on personal mobile devices—devices that may also connect to business systems under bring-your-own-device (BYOD) policies. This makes the activity hard to track and even harder to contain. Since the entire attack bypasses email and internal networks, it slips past spam filters, antivirus software, and endpoint detection systems entirely.

While the authenticity of these threats is also usually uncertain, they are sophisticated in tone and appearance. The use of a tangible medium adds a layer of urgency and legitimacy, and the goal of these letters is the same as digital extortion: pressure institutions and people into compliance. They are difficult to detect in real time and introduce new challenges for incident response teams.

“The security team may not know of the physical mail-based attack until they’re notified by the end user who receives it.” — Justin Bettura, CISO at Youngstown State University - Source

FINRA recently released detailed guidance for member firms on protecting against quishing—QR code phishing—particularly in connection with a wave of Microsoft 365-related attacks. The same tactics apply here.

2. Gaps in Detection and Response

University environments are complex. Multiple departments, separate mailrooms, and isolated workflows mean a physical threat might sit on someone’s desk for days before it gets reported, if it gets reported at all. Many people also don’t think of physical mail as part of the security equation. They don’t expect it, so they don’t escalate it. 

In many cases, there’s usually not even a clear process for what to do with a letter like this, who to contact, or how to handle the evidence. If there’s no plan in place, people will rely on guesswork. Guesswork costs time. Addressing this as a blind spot offers an opportunity to create more cohesive response systems, giving you that time back.

3. Technical Reality vs. Emotional Impact

A ransomware email can be filtered or flagged by security software. A physical letter, however, carries a different weight. It’s tangible, personal, and potentially unsettling. These qualities can affect the emotional response of the recipient, particularly if the letter is perceived as a direct threat to their department or personal safety.

Institutions must balance the urgency of physical threats with the rigor of digital forensics. What matters is verifying the claim (without jumping to conclusions or broadcasting it across university campus). That means looking for signs of a breach through technical validation:

• Reviewing network activity
• Checking access logs
• Running malware scans
• Imaging any system that looks compromised

Importantly, communication must be contained while this validation is underway. Contain the message, confirm the facts, and keep your internal teams aligned. If there’s no evidence of intrusion, treat it like a fraud attempt. Still document it, still report it, but don’t let fear drive decisions.

4. Updating the Playbook for Hybrid & Asymmetric Threats

To address these evolving threats, universities can consider how their current incident response plans integrate real-world physical threat scenarios. Methods of security planning and procedure might look like:

1. One clear intake path for anything unusual, so it doesn’t get passed around or lost in the shuffle.
2. Quick-reference guides for frontline staff (mailrooms, admin offices, reception) so they know what to flag, who to call, and how to handle it.
3. Simple triage steps based on first impression: Is it routine, suspicious, or time-sensitive? Each triggers a different response track.

IT security teams, campus police, mailroom personnel, and legal and communications teams should all be involved in planning and practicing for these threats. You don’t want your organization to lose precious time determining “who owns the problem.” Instead, roles, responsibilities, and escalation paths are already established. 

If you’re not sure whether your current setup accounts for threats like this, use our Security Vulnerability Self-Assessment to identify blind spots in your security posture. It covers everything from perimeter integrity to employee access controls and emergency response planning.

5. Intelligence and Information Sharing

Universities can benefit from centralized analysis and shared intelligence to identify and get ahead of these threats. A single letter at one institution might seem isolated, but ten similar letters across multiple campuses can reveal a pattern. Shared intelligence is the structured exchange of that threat data (tactics, indicators, and incident details) between organizations facing common risks. In higher education, institutions across the country face many of the same risks, often targeted by the same groups using repeatable tactics. 

When common patterns are identified and communicated early (through REN-ISAC, law enforcement briefings, or peer networks) others have a chance to act before they’re next in line. Reporting to federal channels like IC3 will also keep incidents logged and investigated as needed. Keep your internal team focused on analysis, documentation, and internal coordination.

6. Adaptability Over Assumptions

A mailed ransomware letter challenges a lot of assumptions, like where a cyber threat can come from, who detects it, and how prepared your teams are to respond. 

Most defenses are already designed to protect against digital risk, but attackers aren’t limited to one playbook. If there’s a gap, they’ll use it. That includes the space between physical and digital systems, where responsibilities are typically left unclear.

Adaptability here means being ready for what doesn’t fit the template. It means bridging the gap between IT and physical security. It means giving staff simple, clear tools to act when something doesn’t look right, even if it’s not coming through a screen.

Protecting Your Organization’s Security

If you’re in charge of protecting your institution’s security posture, this is the moment to take a fresh look at where the vulnerabilities are. Run the scenarios. Train the people. Tighten the gaps. If you’re not sure where to start, we can help. Let’s figure out where the blind spots are, before someone else does.