.webp)
Last week, the FBI issued a FLASH alert - the Bureau's highest-urgency advisory level - warning that a criminal extortion gang called the Silent Ransom Group is now sending operatives physically into business offices, posing as IT support staff. If that sounds more like a spy movie than a cybersecurity threat, it's because it is genuinely unusual. Most cyberattacks are remote. This one isn't.
The alert, dated May 26, 2026 and available at ic3.gov, covers a group that has been targeting U.S. law firms and financial organizations for several years. What changed this spring is the in-person component - and it's worth understanding exactly how it works, because the defense is straightforward once you know what to look for.
Who Is the Silent Ransom Group?
Silent Ransom Group (SRG) goes by several names in the security community: Luna Moth, Chatty Spider, and UNC3753 all refer to the same operation. The group spun off from the Conti ransomware syndicate after Conti collapsed in March 2022 and has since focused almost entirely on data theft and extortion - no file encryption, no ransomware payload, just stealing sensitive data and threatening to publish it.
That distinction matters. Because they don't deploy traditional ransomware, SRG attacks leave far fewer forensic artifacts than a typical breach. Endpoint detection tools looking for malicious executables, suspicious process trees, or lateral movement patterns may not trigger at all. The FBI noted in its alert that "traditional antivirus products are also unlikely to flag the intrusion because SRG generally uses legitimate system management or remote access tools to carry out the attack."
They've been active long enough to build a meaningful track record. By the time the FBI issued this latest warning, data from more than 38 firms had already been posted to SRG's public leak site. Halcyon's Ransomware Research Center tracked more than 200 ransomware and extortion incidents targeting law firms between 2025 and early 2026, with SRG accounting for a significant share. In January 2026, Orrick, Herrington & Sutcliffe - a firm with over $1.5 billion in annual revenue and 25+ global offices - had data published after refusing to pay. Weil Gotshal reportedly paid "double-digit millions" to suppress a leak. Jones Day, Wood Smith Henning & Berman, and Ropers Majeski each faced similar incidents in the first quarter of 2026 alone.
How the Attack Actually Works
The attack has three phases, and each one escalates if the previous attempt fails.
Phase 1: The phone call or phishing email
An employee gets a call or email, apparently from their own IT department. The pretext is usually something mundane - a security scan that needs to run, follow-up from a suspicious email, a routine device check. The caller asks the employee to open a remote desktop session. The framing is consistent whether the contact happens by phone or in writing: "We need to image the device or create a backup file."
This works surprisingly well. Employees are conditioned to cooperate with IT requests, especially ones framed around security. The caller knows the firm's name, speaks with apparent familiarity, and doesn't ask for passwords - they just want screen access, which feels less suspicious than giving someone credentials.
Phase 2: Remote access via legitimate tools
If the employee cooperates, the attacker uses that remote desktop session to escalate privileges and start exfiltrating data. They typically use WinSCP or a customized version of Rclone - both are legitimate file-transfer utilities that security tools recognize as normal business software. In some cases they copy data directly to Google Drive or Microsoft OneDrive accounts they control, piggybacking on traffic that looks like ordinary cloud storage activity.
Phase 3: The physical visit
This is the new development. When the remote attempt fails - when an employee hangs up, doesn't cooperate, or reports the suspicious call - SRG doesn't give up. They send someone to the office.
The operative shows up claiming to be IT support, often following up on the earlier contact ("I spoke with someone earlier about your device - I'm here to run the backup"). They ask to access a workstation briefly. If they get to it, they plug in a USB drive or external hard drive and copy data on the spot. The FBI specifically flagged "the presence of unidentified or unauthorized individuals claiming to be IT support and attempting to access computers" as an indicator of an active SRG attack.
The whole chain - phone call, remote session or physical visit, data exfiltration - can happen in a single afternoon.
Why This Tactic Is Effective Against Smaller Organizations
Larger organizations have physical security, visitor badge requirements, and dedicated IT staff that employees recognize by name. A stranger claiming to be from IT at a 200-person firm sticks out. At a 15-person law office or boutique financial advisory, where there's no formal IT department and "IT support" is often an outside vendor who shows up occasionally, it's a lot harder to know who belongs.
SRG is explicit in choosing targets where that ambiguity exists. Law firms and financial organizations hold dense concentrations of sensitive data - attorney-client communications, M&A documentation, client financial records, litigation strategy - in environments where the staff is trained in client confidentiality but not necessarily in cybersecurity protocols.
For businesses working with outside IT support for law firms or managed IT for financial organizations, the attack also exploits a real ambiguity: employees know that IT vendors visit sometimes, they just don't always know exactly who or when.
What Your Business Should Do
The good news is that defending against this kind of attack doesn't require new technology. It requires clear procedures.
Establish a verification protocol for IT support
Every business should have a single, documented procedure for verifying IT support identity - and every employee should know it. At minimum:
- All IT support requests (remote or in-person) should be confirmed through a known, internal channel before access is granted. If someone calls claiming to be IT, hang up and call your IT provider back on their main number - not the number the caller provides.
- Remote desktop access should never be granted based on an inbound call or email alone. A real IT team can initiate sessions through documented tools that employees can recognize.
- Unscheduled in-person visits from IT should require advance confirmation. "My manager needs to confirm you're scheduled" is a reasonable thing to say to anyone who shows up unannounced.
This sounds obvious, but it needs to be written down and practiced. The attack works because employees want to be helpful and don't have a clear rule about what to do when someone calls from "IT." Give them the rule.
Restrict USB and external storage ports
Windows Group Policy and most endpoint management platforms let you disable USB storage device access by policy - blocking the ability to connect drives without IT authorization. This directly addresses the in-person exfiltration vector. Even if an operative gets to a machine, they can't plug in and copy. This is a straightforward configuration change and endpoint protection tools can enforce it consistently across a fleet of devices.
Train employees to recognize social engineering
The FBI's prevention recommendations lead with employee training. That's because no technical control catches someone talking an employee into voluntarily granting access. Security awareness training that includes specific social engineering scenarios - not just generic phishing emails but phone-based pretexting and in-person impersonation - helps employees recognize the pattern before they cooperate.
Run a tabletop scenario: what do you do if you get a call from someone claiming to be from IT asking for remote access? Most employees have never thought about it. Once they have, they'll handle it correctly.
Enable phishing-resistant MFA and audit remote access tools
The FBI's alert specifically recommends phishing-resistant multi-factor authentication (hardware keys or passkeys rather than SMS or app-based codes). It also recommends blocking access to ports commonly used for remote access and disabling remote access permissions that aren't actively in use.
Review which remote access tools are authorized in your environment - RDP, TeamViewer, AnyDesk, and similar tools should be locked down to specific users and audited regularly. If someone installs an unauthorized remote access tool, your managed cybersecurity monitoring should flag it quickly.
Know who your IT provider is - and make sure your staff does too
This is probably the most practical single thing a small business can do. If your staff knows that IT support comes from one specific company, that the technicians' names are on file, and that any visit is scheduled in advance through a known contact, the impersonation attack fails immediately. "We use our IT provider - let me call to verify" shuts down both the phone and in-person vectors before they start.
Indicators to Watch For
The FBI listed the following specific indicators of an active SRG attack:
- Unauthorized installation of external hard drives or USB drives on company computers
- Unidentified individuals claiming to be IT support attempting to access computers
- Unexpected remote desktop session requests following an inbound call or email
- Unusual WinSCP or Rclone activity on workstations (particularly outbound file transfers)
- Data appearing unexpectedly in Google Drive or OneDrive not initiated by the account owner
If you see any of these, treat it as an active incident. Disconnect the affected machine from the network, don't let the visitor leave if possible, and contact your IT security team immediately. SOC monitoring - where activity is watched in near-real time - is valuable here because the exfiltration window is short.
The Bigger Picture
What makes this attack notable isn't the sophistication. It's the simplicity. SRG doesn't need to find a zero-day vulnerability or break encryption. They call an employee, use a reasonable pretext, and ask for help. When that doesn't work, they walk in and ask in person.
The defense is equally straightforward: establish a verification procedure, train your people to use it, and lock down physical USB access. None of that requires a large IT budget. It requires policy and follow-through.
If you want help reviewing your current IT support protocols, checking endpoint configurations for USB controls, or putting together a social engineering awareness session for your staff, we're happy to assist. These are the kinds of things we help businesses with regularly - the basics that make a real difference when someone tests them.
Frequently Asked Questions
Is my business at risk from Silent Ransom Group if we're not a law firm?
The FBI's current warning focuses on law firms, which have been SRG's primary target since 2023. But the tactics - phone impersonation, remote desktop social engineering, and in-person physical access - work against any organization where employees don't have a clear procedure for verifying IT support identity. Financial services, medical practices, and professional service firms hold the type of data this group targets.
How do I know if someone calling from "IT support" is legitimate?
The simplest rule: if you receive an inbound call or email from someone claiming to be IT support, do not grant access based on that contact alone. Hang up, then call your IT provider back using the number you have on file - not a number the caller gives you. Legitimate IT support will understand the verification step. Someone running a social engineering attack will push back or pressure you to act immediately.
Can our antivirus catch this kind of attack?
Probably not on its own. The FBI's alert specifically notes that traditional antivirus won't flag SRG intrusions because they use legitimate tools - WinSCP and Rclone for file transfer, standard remote desktop software for access. Antivirus detects known malicious code; it doesn't detect an employee voluntarily granting access or a USB drive being connected. Behavioral monitoring and endpoint management policies (like blocking unauthorized USB storage) are more effective controls for this specific threat.
What should employees do if an unscheduled IT person shows up at the office?
Ask them to wait while you verify the visit through your normal IT contact. Call your IT provider directly to confirm a technician was dispatched. If you can't confirm the visit, ask them to leave and report the incident immediately. A legitimate technician will have a service ticket number and won't object to the verification call.
We use an outside IT firm. How do we set up a verification process?
Ask your IT provider for a specific dispatch process for scheduled visits - how will you know when a technician is coming, and how do you verify who they are? You should have a named contact and a confirmation process before anyone shows up. Document it, share it with your staff, and test it occasionally. This is a basic operational security question for any managed IT relationship and any good provider will be able to answer it clearly.
