Back

FBI Warns of Silent Ransom Group Targeting Law Firms with In-Person Attacks

Severity: High (Score: 71.0)

Sources: Bleepingcomputer, attack.mitre.org, www.reuters.com, Darkreading, www.halcyon.ai

Published: 2026-05-27 · Updated: 2026-05-27

Keywords: staff, firms, office, cybercriminals, their, silent, ransom

Summary

The FBI has issued a warning regarding the Silent Ransom Group (SRG), which has been targeting U.S.-based law firms through in-person data theft tactics. The group, active since 2022, impersonates IT staff to gain access to sensitive data. Their methods include social engineering via phone calls and phishing emails, urging employees to grant remote access. If these attempts fail, SRG members physically visit the firms to insert USB drives into computers, stealing data for extortion. This tactic has become more prevalent since Spring 2026, with law firms being a primary target due to the sensitive nature of their data. The FBI's alert follows a year of increased activity, with SRG responsible for over 100 attacks on law firms. The group’s unique approach of in-person visits distinguishes it from typical ransomware operations. Key Points: • Silent Ransom Group targets U.S. law firms using in-person data theft tactics. • The group employs social engineering methods, including impersonating IT staff. • SRG has been responsible for over 100 attacks, with a notable increase in Spring 2026.

Detailed Analysis

**Impact** U.S.-based law firms are the primary targets, with over 100 attacks attributed to the group since 2022 and a surge in activity during early 2026. The legal sector accounted for more than 6% of ransomware incidents in Q1 2026, ranking fourth among targeted industries. Data theft affects privileged and sensitive legal information, creating reputational damage and potential regulatory exposure. Notable victims include major firms such as Jones Day, with extortion demands leveraging stolen data to threaten public leaks. **Technical Details** The group uses social engineering via phishing emails and phone calls impersonating IT support to gain remote desktop access. When remote access fails, operatives physically visit victim offices to connect USB or external drives for data exfiltration. Tools include legitimate remote access software, WinSCP, and disguised Rclone for file transfer. The group operates a data leak site for extortion and is linked to aliases Luna Moth, Chatty Spider, UNC3753, and Storm-0252. No specific CVEs or malware families were reported. **Recommended Response** Enforce strict physical security controls to prevent unauthorized personnel from accessing workstations and disable or restrict USB port usage. Deploy monitoring for unusual USB device insertions and high-volume file copying to removable media. Train employees to verify IT support identity and avoid callback phishing traps, emphasizing verification protocols. Collect and share indicators such as phishing emails, phone numbers, and call transcripts with law enforcement to aid investigations.

Source articles (8)

  • FBI warns of in — Bleepingcomputer · 2026-05-27
    The FBI warned on Tuesday that the Silent Ransom Group (SRG) extortion gang is now targeting U.S.-based law firms in in-person data theft attacks. "As of Spring 2026, SRG actors use a social engineeri…
  • 001 — attack.mitre.org · 2026-05-27
    Adversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a USB device introduce…
  • Hackers are knocking on office doors pretending to be IT staff — Feeds2.Feedburner · 2026-05-27
    The Silent Ransom Group (SRG) is targeting law firms using social engineering techniques and an unusual tactic for cybercriminals: showing up at victims’ offices in person while posing as IT staff, th…
  • FBI: Get to know your IT guy — Theregister · 2026-05-27
    Cybercriminals still allowed to walk into office blocks and convince staff to let them plug in their own thumb drives The FBI is warning unsuspecting lawyers that their firms continue to be an active…
  • FBI warns US — Cyberscoop · 2026-05-27
    Silent Ransom Group, a long-running data extortion operation, continues to hit U.S.-based law firms by impersonating IT support and, in some cases, visiting victims in person to gain physical access t…
  • Ransomware Actors Show Up In Person to Steal Law Firm Data — Darkreading · 2026-05-27
    The FBI warned that the extortion gang Silent Ransom Group is targeting law firms and socially engineering its way into servers and databases. The Silent Ransom Group (SRG) is impersonating IT personn…
  • Law Firm Jones Day Says Hackers Accessed Client Files 2026 04 06 — www.reuters.com · 2026-05-27
  • Silent Ransom Group — www.halcyon.ai · 2026-05-27

Timeline

  • 2022-01-01 — Silent Ransom Group formed: The group emerged after the disbandment of Conti, focusing on data extortion.
  • 2023-01-01 — SRG begins targeting law firms: The group shifted focus to law firms, exploiting their sensitive data for extortion.
  • 2025-05-01 — FBI issues advisory on SRG: The FBI warned about SRG's tactics, including callback phishing and impersonation.
  • 2026-05-27 — FBI issues new warning on SRG: The FBI alerts law firms about SRG's in-person attacks and social engineering tactics.

Related entities

  • Data Breach (Attack Type)
  • Phishing (Attack Type)
  • Ransomware (Attack Type)
  • Bazarcall (Ransomware Group)
  • Conti (Ransomware Group)
  • INC (Ransomware Group)
  • Ryuk (Ransomware Group)
  • Silent Ransom Group (Ransomware Group)
  • SRG (Ransomware Group)
  • The Silent Ransom Group (Ransomware Group)
  • Jones Day (Company)
  • Russia (Country)
  • United States (Country)
  • ransomware.in (Domain)
  • Financial (Industry)
  • Healthcare (Industry)
  • Insurance (Industry)
  • Legal (Industry)
  • Agent.btz (Malware)
  • PlugX (Malware)
  • Remsec (Malware)
  • Spaceship (Malware)
  • USBStealer (Malware)
  • Machete (Apt Group)
  • T1021 - Remote Services (Mitre Attack)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1052 - Exfiltration Over Physical Medium (Mitre Attack)
  • T1566.002 - Spearphishing Link (Mitre Attack)
  • T1566 - Phishing (Mitre Attack)
  • T1567 - Exfiltration Over Web Service (Mitre Attack)
  • Google Drive (Tool)
  • Finder (Tool)
  • RClone (Tool)
  • Terminal (Tool)
  • WinSCP (Tool)
  • Microsoft OneDrive (Platform)
  • Windows (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed