Threat Intelligence

🕵️‍♂️ FBI: Silent Ransom Group Now Steals Data In Person

By A Yousaf Tanoli, hobbyist with a keen interest in password security and online safety · 28 May 2026 · 12 min read · 2,554 words

The Federal Bureau of Investigation (FBI) issued a flash alert on Tuesday warning that the Silent Ransom Group (SRG) extortion gang is now sending operatives to victim locations to steal data in person. The advisory, released through the FBI's Internet Crime Complaint Center (IC3), details a sophisticated social engineering campaign targeting U.S.-based law firms, where attackers pose as IT support staff over the phone and, when remote access fails, physically dispatch a threat actor to the victim's office to connect a USB drive or external hard drive to company computers.

"As of Spring 2026, SRG actors use a social engineering scheme to pose as an employee from the victim's IT department," the FBI warned. "SRG actors either directly call or send phishing emails to urge employees to call the SRG actor posing as IT support." Once on the phone, the attacker directs the employee to grant remote desktop access. If that attempt fails, SRG sends a threat actor to the victim's physical location to gain access to insert a storage device into the victim's computer.

This escalation to in-person physical breach tactics represents a dangerous new phase in ransomware operations. For enterprise security teams and law firm IT administrators, it underscores a fundamental truth: credential security and physical access controls are no longer separate domains - they are two sides of the same coin.

Who Is the Silent Ransom Group?

Also tracked as Luna Moth, Chatty Spider, and UNC3753 by different threat intelligence firms, SRG has been active since at least 2022. The group initially gained notoriety through BazarCall campaigns that provided initial access to corporate networks in Conti and Ryuk ransomware attacks. After the Conti syndicate shut down in March 2022, the group splintered off and formed the Silent Ransom Group, specialising in data theft and extortion operations.

Since early 2023, SRG has been consistently targeting legal and financial organisations in the United States. The group's hallmark is callback phishing - where victims receive a phishing email about a fake subscription renewal or service charge, and are urged to call a number to cancel. When they call, the "customer support" agent guides them through installing remote access software, granting the attackers a foothold in the corporate network.

The May 2026 FBI flash alert follows a May 2025 private industry notification that similarly warned about Luna Moth targeting law firms. A separate EclecticIQ report from May 2025 revealed that the attackers register typosquatted domains designed to "impersonate IT helpdesk or support portals for major U.S. law firms and financial services firms."

How the In-Person Attack Works

The May 2026 FBI advisory reveals a deeply concerning escalation: this group is now willing to physically dispatch operatives to victim locations. Here is the attack chain:

  1. Initial contact: SRG sends a phishing email or makes a direct phone call, with the attacker posing as an employee from the victim's own IT department.
  2. Call for help: The email or call urges the employee to contact "IT support" via a provided phone number.
  3. Remote access: When the employee calls, the attacker (still posing as IT support) guides them through granting remote desktop access using legitimate remote access tools.
  4. If remote fails: The attacker sends a physical operative to the victim's office location. This person claims to be an IT technician and requests physical access to company computers.
  5. Data theft: The operative connects a USB drive or external hard drive to the victim's computer and steals sensitive data - client files, financial records, credentials, and internal communications.
  6. Extortion: Once data is exfiltrated, SRG contacts the victim organisation with a ransom demand, threatening to sell or post the stolen data on their leak site. They also call the victim's employees or clients directly to pressure the organisation into paying.

The FBI noted that the unauthorised installation of external hard drives or USB drives on company computers, and the presence of unidentified individuals claiming to be IT support attempting to access computers, are key indicators of an SRG attack.

Why Law Firms Are Prime Targets

Law firms are uniquely vulnerable to this type of attack for several reasons:

Credential Security: The First Line of Defence

While the SRG's in-person tactics grab headlines, the reality is that the vast majority of ransomware attacks still begin with compromised credentials. According to the 2025 Verizon Data Breach Investigations Report (DBIR), 86% of web application breaches involve stolen or weak credentials. The IBM Cost of a Data Breach 2025 report found that compromised credentials were the most common initial attack vector, with an average breach cost of $4.81 million.

For enterprises, the single most effective defence against credential-based attacks is a robust, centrally managed password policy enforced through an enterprise password manager. Organisations that rely on shared spreadsheets, sticky notes, or browser-based password storage are operating with a level of credential hygiene that makes them easy targets for even unsophisticated attackers.

An enterprise password manager such as Keeper Business or 1Password Teams provides: 🎓 Save 50% Off

Firms should also consider secure communication channels for sensitive correspondence. TrekMail provides encrypted email services that protect client-attorney communications from interception - a critical consideration when attackers are known to monitor email traffic for credential resets, client information, and financial negotiations.

Physical Security Measures Against In-Person Attacks

The SRG's physical deployment tactic means that cybersecurity and physical security teams must now work together. Organisations should implement the following measures:

For remote employees and mobile practitioners - particularly common in law - using a VPN on public Wi-Fi is no longer optional. When attorneys work from coffee shops, co-working spaces, or client offices, their network traffic is exposed to anyone on the same network. Hide My Name VPN encrypts internet traffic end-to-end, preventing attackers on shared networks from intercepting credentials, client emails, or document transfers. For firms that want a no-compromise approach to mobile security, Turbo VPN offers fast encrypted connections designed for business travellers and remote professionals who need reliable protection across multiple devices. PureVPN — Browse Safely Anywhere

Why Password Managers Are the Enterprise Answer

The most effective single intervention an organisation can make against credential-based attacks - whether phishing, callback social engineering, or physical USB-driven data theft - is to implement a comprehensive password management strategy. When every employee uses unique, complex passwords stored in a centralised, encrypted vault, the credential chain is hardened at its weakest link.

For enterprise environments, password managers offer critical capabilities that consumer tools don't:

Enterprise teams looking for robust password security can also use tools like the password strength visualiser at bestpasswordgenerator.org to audit their current password policies and understand what constitutes a truly enterprise-grade credential.

Incident Response: What to Do If You Suspect SRG Activity

If your organisation suspects it has been targeted by Silent Ransom Group - whether through suspicious phone calls, phishing emails, or an unknown person claiming to be IT support on site - take these steps immediately:

  1. Do not engage. Do not call back numbers provided in suspicious emails. Do not grant remote access to anyone who contacts you unsolicited.
  2. Verify through official channels. Call your IT department using the number you know, not the one provided in the email or call.
  3. Report to the FBI. File a report with IC3 at ic3.gov. The FBI specifically requested that organisations contacted by SRG report the incident, including any phone numbers, email addresses, and IP addresses used by the attackers.
  4. Isolate affected systems. If a USB drive was connected or remote access was granted, disconnect the affected computer from the network immediately.
  5. Rotate all credentials. Change passwords for any accounts that may have been accessed, and revoke any active sessions or API tokens.
  6. Preserve evidence. Do not wipe or reformat affected systems until law enforcement has had an opportunity to collect forensic evidence.
  7. Contact your cyber insurance provider. Most cyber insurance policies include incident response services that can provide immediate assistance.

Organisations should also ensure that all critical accounts are protected by strong, unique passwords. Use the TitanPasswords FIPS-compliant password generator to create enterprise-grade credentials for administrator accounts, VPN access, and cloud service consoles - exactly the type of high-value targets that SRG seeks to compromise through its multi-stage attack chain.

FAQs: Silent Ransom Group In-Person Data Theft Attacks

What is the Silent Ransom Group (SRG)?

Silent Ransom Group, also tracked as Luna Moth, Chatty Spider, and UNC3753, is an extortion gang active since at least 2022. Originally part of the Conti ransomware syndicate, the group splintered off in March 2022 and now specialises in data theft and extortion through callback phishing campaigns. As of Spring 2026, the FBI has confirmed that SRG operatives are now conducting in-person data theft attacks at victim locations.

How does SRG's callback phishing tactic work?

SRG sends a phishing email about a fake subscription renewal or service charge, urging the recipient to call a provided number. When the victim calls, the attacker - posing as customer support or IT helpdesk staff - guides them through installing remote access software, granting the attackers direct access to the corporate network.

How does the FBI say SRG is now stealing data in person?

According to the FBI's May 2026 flash alert, if remote access attempts fail, SRG sends a physical operative to the victim's office location. The operative poses as an IT technician and attempts to connect a USB drive or external hard drive to company computers to steal sensitive data directly.

Which organisations are most at risk from SRG attacks?

U.S.-based law firms are the primary targets as of Spring 2026, though the group has historically targeted financial services organisations as well. Firms that are smaller or have outsourced IT management are at elevated risk because their physical security and visitor management practices may be less rigorous than those of larger enterprises.

What should my organisation do if we receive a suspicious IT support call?

Do not grant remote access. Hang up and call your IT department using the phone number you have on file - not a number provided in the call or email. Report the incident to the FBI's IC3 at ic3.gov. Train all staff to follow this protocol as part of regular security awareness training.

How can password managers help prevent these attacks?

Enterprise password managers prevent credential reuse and ensure that every account has a unique, complex password. In the event that credentials are stolen through social engineering or a USB drive drop, the stolen credentials are useless for accessing other accounts. Password managers with phishing-resistant autofill also prevent employees from entering credentials into typosquatted domains, a tactic SRG is known to use.

What is the FBI's guidance on paying the ransom?

The FBI advises against paying ransoms, stating that paying does not guarantee data recovery and encourages further criminal activity. Organisations should focus on prevention - strong passwords, physical access controls, and security awareness training - rather than planning for ransom payment as a recovery strategy.

Bottom Line: Physical and Digital Security Are No Longer Separate

The FBI's flash alert about Silent Ransom Group deploying in-person operatives to steal data via USB drives represents a watershed moment for enterprise security. The traditional separation between cybersecurity and physical security - between IT teams who manage passwords and facilities teams who manage visitor access - is no longer viable. Attackers are willing to walk through the front door.

For law firms and financial organisations, the path forward requires:

Use the TitanPasswords password generator to create FIPS-compliant, enterprise-strength passwords for every critical account. Your credentials are the keys to your organisation's data - and with attackers now willing to travel to steal them, your defences must be stronger than ever.

Generate a Free Strong Password →

⚡ Try NordPassNordPass Standard LP 2026 and experience enterprise-grade password security at an affordable price. Features include zero-knowledge encryption, cross-platform sync, and breach monitoring.

class="related" style="margin-top:48px;padding-top:32px;border-top:1px solid var(--s2)">

Related Articles

More Password Security Tools

🔑 SecureKeyGen🛡️ Best Password Generator🔐 Free Strong Password⚡ Instant Password🗝️ Iron Vault Keys🔑 Random Pwd Tool👨‍👩‍👧‍👦 Safe Pass Builder🛡️ Trusty Password⚙️ StrongPassFactory🔑 SecureKeyGen.org📚 TrustyPassword.org
We use cookies to improve your experience. Learn more