Silent Ransom Group's In-Person Data Theft Attacks
The FBI has warned of a new threat from the Silent Ransom Group (SRG), an extortion gang that is targeting US-based law firms in in-person data theft attacks. As of Spring 2026, SRG actors have been using a social engineering scheme to pose as employees from the victim's IT department, either directly calling or sending phishing emails to urge employees to call the SRG actor posing as IT support.
While on the phone, the SRG actor directs the employee to grant access to a remote desktop session. If that attempt fails, SRG sends a threat actor to the victim's location to gain access to insert a storage device into the victim's computer. By going to the victim's location in person, the malicious actors can steal data by connecting USB drives or external hard drives to the victim's computer.
Indicators of an SRG Attack
The FBI has included the unauthorized installation of external hard drives or USB drives on company computers, and the presence of unidentified or unauthorized individuals claiming to be IT support and attempting to access computers, as possible indicators of an SRG attack.
Through phone calls and phishing emails, SRG actors pose as IT support to establish access to victim computers and exfiltrate data, usually through legitimate remote access tools or by sending an individual in-person to the victim company's location to gain physical access to computers.
SRG's Extortion Tactics
SRG uses the stolen data to extort the victims by sending a ransom email that threatens to sell or post it on their leak site, and will also call the victims' employees or clients to pressure them into beginning ransom negotiations.
Also known as Luna Moth, Chatty Spider, and UNC3753, this cybercrime gang has been active since at least 2022 and has been targeting legal and financial organizations in the United States since early 2023. As previously reported, the same group of threat actors was also linked to BazarCall campaigns that provided initial access to corporate networks in Conti and Ryuk ransomware attacks.
History of the Silent Ransom Group
In March 2022, after the Conti shutdown, they separated from the cybercrime syndicate and formed the Silent Ransom Group (SRG), known for data theft and extortion operations following targeted phishing attacks. This week's flash alert follows a May 2025 FBI private industry notification warning that the same extortion gang had been targeting US law firms in callback phishing and social engineering attacks for more than two years.
A May 2025 EclecticIQ report detailing the cybercrime group's attacks on legal and financial institutions in the United States also revealed that the attackers register domains to "impersonate IT helpdesk or support portals for major US law firms and financial services firms, using typosquatted patterns."
The FBI's warning highlights the importance of being vigilant and taking steps to prevent such attacks. Law firms and other organizations should be cautious of unsolicited phone calls or emails claiming to be from IT support and should verify the identity of anyone attempting to access their computers or networks.
Source: BleepingComputer