VYPR
breachPublished May 27, 2026· Updated Jun 8, 2026· 11 sources

FBI Warns Silent Ransom Group Recruits In-Person Operatives to Plant USB Drives at Law Firms

The FBI has issued an alert detailing how Silent Ransom Group (SRG) now sends operatives in person to law firms to physically insert USB drives and exfiltrate data for extortion.

The FBI has issued a new alert warning that the extortion gang known as Silent Ransom Group (SRG) has escalated its tactics by recruiting in-person operatives to physically breach targeted U.S. law firms. According to the Bureau, SRG actors now pose as IT support staff and, when remote access attempts fail, send an individual to the victim's location to insert a USB drive or external hard drive directly into a computer. The goal is data exfiltration for extortion, not file encryption.

Active since at least 2022, SRG has been targeting law firms since 2023, initially relying on callback phishing emails and social engineering calls that claimed to help victims cancel subscription fees. In a May 2025 alert, the FBI described SRG's use of phishing emails containing links to remote access software that enabled rapid data theft. The new campaign, observed this year, marks a significant tactical shift: the threat actor now impersonates an employee from the victim's own IT department.

"SRG actors either directly call or send phishing emails to urge employees to call the SRG actor posing as IT support," the FBI explains in its latest alert (PDF). During the call, the attackers direct employees to grant remote desktop access. If that fails, the group dispatches a person posing as IT support to physically connect a device. "In this scheme, the threat actor tells the victim they need to image the device or create a backup file to address potential impacts from the phishing email," the Bureau notes.

Once inside the machine, SRG actors escalate privileges and immediately begin exfiltrating data, bypassing file encryption entirely. For data theft, they use legitimate tools such as WinSCP (Windows Secure Copy) or a version of Rclone, and in some cases copy data to internal file-sharing platforms like Google Drive and Microsoft OneDrive. The group then extorts the victim, threatening to sell or publish stolen data online, and also contacts the victim's employees and clients to increase pressure.

The FBI warns that recent SRG campaigns leave few artifacts on compromised machines, making detection difficult. "Traditional antivirus products are also unlikely to flag the intrusion because SRG generally uses legitimate system management or remote access tools to carry out the attack," the alert reads. This low-and-slow approach, combined with physical presence, evades many standard security controls.

To defend against these attacks, the FBI recommends organizations verify the credentials of all individuals with access to company assets, limit access to sensitive data, train employees to identify phishing attempts, and establish clear policies for IT support communication and authentication. Additional mitigations include backing up all company data, implementing phishing-resistant multi-factor authentication (MFA), blocking access to commonly exploited ports, and disabling remote access and permissions for external drive installation.

The emergence of in-person USB drops by a ransomware group represents a worrying evolution in physical-social engineering convergence. While such tactics have been used by state-sponsored actors and in targeted intrusions, their adoption by a financially motivated extortion gang signals a broader normalization of hybrid attacks that blend digital and physical compromise.

The FBI's latest flash alert, issued on Tuesday, provides additional technical details on SRG's social engineering tactics, including the use of phishing emails and phone calls to trick employees into granting remote desktop access before resorting to in-person visits. The advisory also includes specific indicators of compromise, such as unauthorized external hard drives or USB devices connected to company computers, and urges law firms to verify any unsolicited IT support requests. This alert follows a May 2025 private industry notification and an EclecticIQ report that detailed the group's ongoing callback phishing campaigns targeting legal and financial institutions.

The FBI's latest advisory expands on the group's tactics, noting that operatives now pose as IT staff in person at law firm offices to gain physical access, rather than relying solely on USB drops. The group, also tracked as Luna Moth, Chatty Spider, and UNC3753, has been active since at least 2022 and has also targeted insurance, finance, and healthcare sectors. This physical impersonation technique represents an escalation in SRG's social engineering arsenal, enabling direct ransomware deployment.

The FBI's latest advisory provides additional details on the group's social engineering tactics, including attackers posing as internal IT personnel via phone calls or phishing emails to persuade employees to grant remote desktop access. If remote efforts fail, the group may send an individual in person to the victim's office, claiming to need to create a backup or image a device, then use external storage devices to copy data. The FBI noted that the group's activity is difficult to detect because it relies on legitimate remote management tools and transfers stolen data through trusted cloud platforms like Google Drive and Microsoft OneDrive.

The FBI's latest advisory, released in Spring 2026, reaffirms that SRG continues to physically enter law firms' offices to plug USB drives into computers when remote callback phishing fails. The advisory also notes that SRG uses WinSCP or disguised Rclone for data exfiltration and stores stolen files on Google Drive or OneDrive. Recent alleged victims include law giant Jones Day, which confirmed a "cyber phishing incident" in April 2026 but did not name SRG.

Dark Reading now adds that the FBI's Internet Crime Complaint Center (IC3) published the advisory specifically naming law firms as targets since spring 2023, and that SRG — also tracked as Luna Moth, Chatty Spider, and UNC3753 — has victimized insurance, finance, and healthcare sectors as well. The report quotes Cynthia Kaiser of Halcyon's Ransomware Research Center, who notes the legal sector was the fourth most targeted industry in early 2026 due to sensitive client data and regulatory pressure. Kaiser describes the in-person tactic as 'an incredibly rare and concerning development' for a group likely operating from Russia, and the article details indicators of compromise including unauthorized WinSCP or Rclone connections to external IPs and physical USB drive insertion by individuals claiming to be IT support.

The FBI's latest alert, released exactly one year after its previous warning, details that Silent Ransom Group (also tracked as Chatty Spider, UNC3753, and Storm-0252) has claimed over 100 attacks and is largely responsible for a surge in ransomware incidents against law firms, which accounted for 6% of all ransomware in Q1 2026. Experts note the group's in-person data theft tactic is extremely rare, with no known parallels in cybercrime, and speculate that gig workers or subcontractors may be used to place voice-based phishing calls and visit victims without knowing they are committing a crime.

The FBI's latest advisory, shared with Cyber Security News, details that SRG actors now escalate to physical visits by fake IT technicians who plug USB drives or external hard drives into victims' computers when remote access attempts fail. The group uses legitimate tools like WinSCP and Rclone for data exfiltration, and the FBI recommends blocking port 22, enforcing phishing-resistant MFA, and verifying technician identities as key defenses. Indicators of compromise include the leak site business-data-leaks[.]com and unauthorized downloads of remote access tools such as Zoho Assist, Quick Assist, and AnyDesk.

The FBI Flash Alert further details that SRG actors use legitimate tools like WinSCP or renamed Rclone for data exfiltration, and may also upload stolen data to internal file-sharing platforms such as Google Drive or Microsoft OneDrive. When in-person operatives are deployed, they exfiltrate data to external hard drives or USB drives, and traditional antivirus products are unlikely to flag the intrusion because SRG relies on legitimate system management tools. The advisory also provides updated mitigation guidance, including blocking port 22 and disabling remote access permissions on sensitive computers.

The Silent Ransom Group (SRG) is now employing a sophisticated DNS fast flux technique to obscure its command-and-control infrastructure. This method rapidly rotates IP addresses associated with its C2 servers, making them significantly harder for security researchers and defenders to track and block. The group, also known as Chatty Spider and Luna Moth, continues to primarily target US law firms, but has also been observed compromising finance, healthcare, insurance, and hospitality sectors.

This new report from Dark Reading indicates that the Silent Ransom Group (SRG) is further diversifying its attack vectors beyond physical USB drops and vishing. The group is now reportedly combining voice phishing with impersonation of IT support staff and even physical office intrusions to exfiltrate sensitive data, thereby escalating their extortion demands.

Synthesized by Vypr AI