"SRG consistently targets US law firms 'likely due to the highly sensitive nature of legal industry data,'" the FBI warned in its latest advisory — issued almost exactly a year after its previous notice and prompted by fresh incidents reported in Spring 2026.
Silent Ransom Group: what the FBI says and why law firms are singled out
The FBI traces Silent Ransom Group (SRG) back to 2022 and says the crew has narrowed its focus toward the legal sector since 2023. SRG is not known for deploying ransomware, the advisory notes; instead the group operates a data leak site (DLS), lists victims there and charges to return stolen information, threatening to publish data if victims refuse to pay.
Callback phishing and the remote-access playbook
The core SRG technique is a classic callback phishing scheme. Attackers send SMS messages or emails that ask employees to call a number while posing as real IT staff. On the call, the impostor seeks remote desktop access and then elevates privileges to steal files. The FBI says SRG operators sometimes run WinSCP or a disguised Rclone to copy data, and in other cases they transfer stolen documents to internal file-sharing platforms such as Google Drive or Microsoft OneDrive.
The advisory also recounts an earlier SRG ruse: emails claiming a fake subscription would charge small monthly sums, with a phone number to "cancel" — a lure that led victims to install remote‑access software and enabled the same data‑exfiltration sequence.
When social engineering fails: physical intrusions and USB thefts
When callback phishing does not succeed, SRG has escalated to in-person operations, the FBI said. Members have physically entered law firm offices, continuing the impersonation of company IT staff and claiming they need to image a device or create a backup to assess damage from the phishing email. What they actually do, the advisory says, is copy important files onto thumb drives that SRG later uses for extortion.
The FBI did not quantify how many of these in-person callouts have occurred, but described the tactic as recent and significant enough to include in its Spring 2026 advisory. As a practical matter, the bulletin singled out a simple control: preventing outsiders or employees from connecting external drives to company‑issued machines.
Recent alleged victims and public reporting
SRG has listed recent alleged victims on its DLS; the advisory cites one high-profile example. SRG listed the law firm Jones Day, and Jones Day confirmed a "cyber phishing incident" in April but did not name SRG as the actor. The advisory places that disclosure in the context of SRG's ongoing focus on legal firms.
What this means for law firms, security teams, and the public
- Law firms: the FBI recommends forbidding connection of external drives to company devices that contain confidential material and verifying the credentials of anyone who comes into an office claiming to be IT.
- Technologists and security teams: the advisory urges limiting access to sensitive data from less‑secure networks, requiring phishing‑resistant multifactor authentication for as many services as possible, blocking port 22 to prevent encrypted remote access, and investing in robust staff training so employees know not to allow outsiders to plug hardware into workstations.
- The public and potential witnesses: the FBI asked the public to forward any evidence of SRG activity to assist investigations — useful items include phone numbers used by the crooks, call transcripts and phishing emails, cryptocurrency wallet information, and identifying information for individuals who enter office buildings.
The FBI's advisory sketches a blunt choice for vulnerable organizations: harden digital controls and physical access policies, or face a repeat of a simple — but effective — con that now alternates between remote deception and hands‑on theft. The bureau has asked for community assistance; whether law firms tighten USB policies and credential checks may determine how often SRG can turn a failed call into an on‑site data grab.




