“Silent Ransom Group has claimed responsibility for more than 100 attacks,” a recent advisory noted — a scale that, combined with an uncommon operational twist, has prompted a fresh FBI alert to U.S.-based law firms.
Silent Ransom Group: scope, lineage, and recent surge
The FBI says Silent Ransom Group, a closed data-extortion operation that likely operates from Russia and emerged in 2022 after Conti disbanded, continues to focus on U.S.-based law firms. Researchers report the group has claimed responsibility for more than 100 attacks and that activity has surged in recent months. The FBI’s new warning arrives exactly one year after a prior agency alert that described consistent targeting of law firms since mid-2023.
Tactics: social engineering plus in-person physical access
Unlike most ransomware and extortion operations, Silent Ransom Group does not deploy encryption as its primary action. Instead, the group relies on social engineering — phone calls and phishing emails that urge employees to call an associate posing as IT support — and, when remote access attempts fail, it will send an associate to a victim’s workplace to physically attach a storage device to a workstation to steal data, the FBI said. Multiple experts described that combination of voice-based deception and in-person visits as extremely rare in the cybercrime ecosystem.
Why law firms are being singled out
Researchers and industry analysts say law firms present particular value to data extortion operations. Halcyon tracked 134 ransomware incidents against law firms and legal services during the first quarter of this year, making that sector the fourth-most targeted industry and accounting for more than 6% of the ransomware incidents Halcyon tracked in that period. Cynthia Kaiser, senior vice president at Halcyon’s Ransomware Research Center, said Silent Ransom Group and another operation, Inc, are largely responsible for that uptick.
“Silent was the first group to really just be targeting law firms, and they’ve targeted major law firms” with a clear understanding of what’s most problematic for organizations in that segment, Kaiser said. She added that “the theft of data in and of itself is the biggest issue for the law firms, so they’re tailoring a lot of their operations around what they know about the sector.” The concern for law firms is the combination of privileged information and reputational exposure that data theft creates, making such organizations attractive targets for high-value extortion.
What researchers and analysts are saying about the in-person element
Experts told CyberScoop the in-person visit element is distinctive and risky for the attackers. “There were probably a lot of times that this failed before it started succeeding because there’s a lot of trial-and-error involved,” Allan Liska, field chief information security officer at Recorded Future, said, adding that Silent Ransom Group is “willing to put the extra effort into” law-firm targets.
Ian Gray, vice president of cyber threat intelligence operations at Flashpoint, noted that while Flashpoint has observed threat actors co-opting insiders, “we have not observed them physically sending attackers to victim locations. This tactic carries significant risk, as threat actors are able to use technology to obscure their real-world identities.”
Joe Slowik, director of cybersecurity alerting strategy at Dataminr, framed the human side of the problem: “Humans in the workplace need to implicitly trust others to get their jobs done,” he said. “Criminal entities will continue to prey on human weaknesses and dependencies for success, and placing the burden solely on employees to defend against this is unfair and unreasonable.”
Operational questions and the role of intermediaries
The FBI did not provide details about the people who place the fake IT support calls or who make in-person visits. With the group’s operators likely based in Russia, researchers speculate that gig workers or subcontractors play a critical role: placing voice-based phishing calls in a common language and visiting victims at their workplace. Liska said he is “under the impression the group is using freelance taskers that don’t necessarily know they are committing a crime,” likening them to paid delivery workers who may suspect wrongdoing but accept the work for payment.
Law firms, security teams, and investigators: where attention is likely to go next
- Law firms and legal services: Expect to confront heightened reputational and privilege risks from data theft rather than encrypted systems; incidents tracked by Halcyon show the sector already among the more-targeted in recent months.
- Security teams and technologists: The blended tactic — voice-based phishing that escalates to an in-person attachment of storage media — changes the defensive calculus, shifting some focus to physical access controls, visitor verification, and processes for remote-support requests.
- Investigators and IT policy officers: The lack of public detail about who makes the calls or the visits will likely leave law-enforcement and corporate investigators looking for new evidence chains linking remote operators to local intermediaries and taskers.
Silent Ransom Group’s mix of old-school social engineering and the unusual step of physically retrieving data has created a measurable impact on the legal sector and drawn renewed attention from the FBI. Whether the operation’s recent surge signals a durable shift in extortion tradecraft or a period of opportunistic experimentation will be a central question for both defenders and investigators as they work to protect sensitive client information.




