FBI Warns Silent Ransom Group Recruits In-Person Operatives to Plant USB Drives at Law Firms
The FBI has issued an alert detailing how Silent Ransom Group (SRG) now sends operatives in person to law firms to physically insert USB drives and exfiltrate data for extortion.
The FBI has issued a new alert warning that the extortion gang known as Silent Ransom Group (SRG) has escalated its tactics by recruiting in-person operatives to physically breach targeted U.S. law firms. According to the Bureau, SRG actors now pose as IT support staff and, when remote access attempts fail, send an individual to the victim's location to insert a USB drive or external hard drive directly into a computer. The goal is data exfiltration for extortion, not file encryption.
Active since at least 2022, SRG has been targeting law firms since 2023, initially relying on callback phishing emails and social engineering calls that claimed to help victims cancel subscription fees. In a May 2025 alert, the FBI described SRG's use of phishing emails containing links to remote access software that enabled rapid data theft. The new campaign, observed this year, marks a significant tactical shift: the threat actor now impersonates an employee from the victim's own IT department.
"SRG actors either directly call or send phishing emails to urge employees to call the SRG actor posing as IT support," the FBI explains in its latest alert (PDF). During the call, the attackers direct employees to grant remote desktop access. If that fails, the group dispatches a person posing as IT support to physically connect a device. "In this scheme, the threat actor tells the victim they need to image the device or create a backup file to address potential impacts from the phishing email," the Bureau notes.
Once inside the machine, SRG actors escalate privileges and immediately begin exfiltrating data, bypassing file encryption entirely. For data theft, they use legitimate tools such as WinSCP (Windows Secure Copy) or a version of Rclone, and in some cases copy data to internal file-sharing platforms like Google Drive and Microsoft OneDrive. The group then extorts the victim, threatening to sell or publish stolen data online, and also contacts the victim's employees and clients to increase pressure.
The FBI warns that recent SRG campaigns leave few artifacts on compromised machines, making detection difficult. "Traditional antivirus products are also unlikely to flag the intrusion because SRG generally uses legitimate system management or remote access tools to carry out the attack," the alert reads. This low-and-slow approach, combined with physical presence, evades many standard security controls.
To defend against these attacks, the FBI recommends organizations verify the credentials of all individuals with access to company assets, limit access to sensitive data, train employees to identify phishing attempts, and establish clear policies for IT support communication and authentication. Additional mitigations include backing up all company data, implementing phishing-resistant multi-factor authentication (MFA), blocking access to commonly exploited ports, and disabling remote access and permissions for external drive installation.
The emergence of in-person USB drops by a ransomware group represents a worrying evolution in physical-social engineering convergence. While such tactics have been used by state-sponsored actors and in targeted intrusions, their adoption by a financially motivated extortion gang signals a broader normalization of hybrid attacks that blend digital and physical compromise.
The FBI's latest flash alert, issued on Tuesday, provides additional technical details on SRG's social engineering tactics, including the use of phishing emails and phone calls to trick employees into granting remote desktop access before resorting to in-person visits. The advisory also includes specific indicators of compromise, such as unauthorized external hard drives or USB devices connected to company computers, and urges law firms to verify any unsolicited IT support requests. This alert follows a May 2025 private industry notification and an EclecticIQ report that detailed the group's ongoing callback phishing campaigns targeting legal and financial institutions.