Back

FBI Warns of In-Person Data Theft by Silent Ransom Group Targeting Law Firms

Severity: High (Score: 71.0)

Sources: Theregister, Bleepingcomputer, Feeds2.Feedburner, attack.mitre.org, www.reuters.com

Published: 2026-05-27 · Updated: 2026-05-27

Keywords: staff, firms, office, cybercriminals, their, silent, ransom

Summary

The FBI has issued a warning about the Silent Ransom Group (SRG), which is targeting U.S. law firms through in-person data theft tactics. The group, active since 2022, poses as IT staff to gain access to victim computers, either through phishing or by physically visiting offices. Once inside, they use USB drives to exfiltrate sensitive data for extortion purposes. The SRG has been particularly focused on the legal sector due to the sensitive nature of the data involved. Recent attacks have been reported as of Spring 2026, prompting the FBI to advise firms to secure their USB ports and be vigilant against unauthorized personnel. The group has also been linked to previous phishing schemes and has evolved its tactics to include direct physical infiltration. Key Points: • The Silent Ransom Group is impersonating IT staff to gain access to law firms. • Recent attacks involve physically visiting offices to install USB drives for data theft. • The FBI advises law firms to secure USB ports and be cautious of unauthorized personnel.

Detailed Analysis

**Impact** U.S.-based law firms are the primary targets, with recent victims including the major firm Jones Day. The group has been active since 2022 and shifted focus to legal and financial sectors since early 2023. Data stolen includes sensitive legal documents, which are used for extortion via ransom demands and threats to leak or sell the information. The operational impact includes potential data breaches, reputational damage, and financial loss due to extortion payments. **Technical Details** The attack vector involves social engineering via callback phishing, where SRG actors impersonate IT staff to gain remote desktop access or physical access by visiting offices to plug in USB drives or external hard drives. Tools used include legitimate remote access software, WinSCP, and disguised versions of Rclone for data exfiltration. The group operates a data leak site and uses phishing emails and phone calls to pressure victims. No specific CVEs or malware samples were mentioned. Indicators include unauthorized USB device connections and unknown individuals claiming to be IT support. **Recommended Response** Immediately restrict and monitor USB port usage and physical access to sensitive areas. Train employees to verify IT staff identity through official channels before granting access or plugging in devices. Deploy detection rules for unusual remote desktop sessions and monitor for unauthorized external storage devices. Collect and report any phishing emails, phone numbers, or call transcripts related to SRG to law enforcement for ongoing investigations.

Source articles (5)

  • FBI warns of in — Bleepingcomputer · 2026-05-27
    The FBI warned on Tuesday that the Silent Ransom Group (SRG) extortion gang is now targeting U.S.-based law firms in in-person data theft attacks. "As of Spring 2026, SRG actors use a social engineeri…
  • 001 — attack.mitre.org · 2026-05-27
    Adversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a USB device introduce…
  • Hackers are knocking on office doors pretending to be IT staff — Feeds2.Feedburner · 2026-05-27
    The Silent Ransom Group (SRG) is targeting law firms using social engineering techniques and an unusual tactic for cybercriminals: showing up at victims’ offices in person while posing as IT staff, th…
  • FBI: Get to know your IT guy — Theregister · 2026-05-27
    Cybercriminals still allowed to walk into office blocks and convince staff to let them plug in their own thumb drives The FBI is warning unsuspecting lawyers that their firms continue to be an active…
  • Law Firm Jones Day Says Hackers Accessed Client Files 2026 04 06 — www.reuters.com · 2026-05-27

Timeline

  • 2022-01-01 — Silent Ransom Group formed: The group, also known as Luna Moth and Chatty Spider, began its operations targeting various sectors.
  • 2023-01-01 — SRG begins targeting law firms: The group shifted focus to U.S. law firms, exploiting the sensitive nature of legal data.
  • 2025-05-01 — FBI issues advisory on SRG tactics: The FBI warned about SRG's callback phishing and social engineering methods targeting law firms.
  • 2026-05-01 — In-person attacks reported: The FBI confirmed that SRG members are now physically visiting law firms to execute data theft.
  • 2026-05-27 — FBI issues new warning: The FBI reiterated the threat posed by SRG and recommended security measures for law firms.

Related entities

  • Data Breach (Attack Type)
  • Phishing (Attack Type)
  • Ransomware (Attack Type)
  • Bazarcall (Ransomware Group)
  • Conti (Ransomware Group)
  • Ryuk (Ransomware Group)
  • SRG (Ransomware Group)
  • The Silent Ransom Group (Ransomware Group)
  • Jones Day (Company)
  • United States (Country)
  • Financial (Industry)
  • Healthcare (Industry)
  • Insurance (Industry)
  • Legal (Industry)
  • Agent.btz (Malware)
  • PlugX (Malware)
  • Remsec (Malware)
  • Spaceship (Malware)
  • USBStealer (Malware)
  • Machete (Apt Group)
  • T1021 - Remote Services (Mitre Attack)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1566 - Phishing (Mitre Attack)
  • T1567 - Exfiltration Over Web Service (Mitre Attack)
  • Google Drive (Tool)
  • Finder (Tool)
  • RClone (Tool)
  • Terminal (Tool)
  • WinSCP (Tool)
  • Microsoft OneDrive (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed