Skip to main content
Emerging ThreatsMalware & Ransomware

FBI Warns of In-Person Data Theft Attacks by Extortion Gang

Person in business casual clothes approaches a cubicle, blending in with office surroundings.

"As of Spring 2026, SRG actors use a social engineering scheme to pose as an employee from the victim's IT department," the FBI warned, laying out a pattern that combines phishing, phone-based deception, remote-access sessions — and now, physical presence at victim sites.

Silent Ransom Group's evolving playbook

The FBI's flash alert paints SRG — also known as Luna Moth, Chatty Spider, and UNC3753 — as a group that has adapted its extortion methods since emerging at least as early as 2022. According to the bulletin, SRG actors initiate contact through phone calls or phishing emails that urge employees to call back a number controlled by the attackers or to follow a link to engage with "IT support." That engagement is used to establish access via legitimate remote access tools; when that fails, SRG sends an individual to the victim's physical location to gain direct access to endpoint machines.

In-person theft: USBs and external hard drives as tools of extortion

The critical change flagged by the FBI is the addition of in-person data theft to SRG's toolkit. Once at a site, the malicious actor will insert a storage device — a USB drive or an external hard drive — into the victim's computer to copy data. The stolen material is then leveraged in extortion: SRG sends ransom emails threatening to sell or post the material on a leak site, and the group will also place calls to the victim's employees or clients to intensify pressure to begin ransom negotiations.

Indicators the FBI identified

  • Unauthorized installation of external hard drives or USB drives on company computers;
  • Presence of unidentified or unauthorized individuals claiming to be IT support and attempting to access computers;
  • Phone calls and phishing emails that pose as IT support to establish access, often followed by use of legitimate remote access tools or an in-person visit.

The FBI emphasized that the combination of remote-access social engineering and physical insertion of storage devices is a distinguishing aspect of recent SRG activity.

Roots and reported connections: from Conti to SRG

Media and reporting cited by the FBI link SRG to a broader history of criminal operations. The group was associated with BazarCall campaigns that provided initial access connected to Conti and Ryuk ransomware attacks, according to BleepingComputer. After the March 2022 Conti shutdown, the actors separated from that syndicate and formed the Silent Ransom Group, focusing on data theft and extortion following targeted phishing attacks. Since early 2023, the FBI says SRG has specifically targeted legal and financial organizations in the United States.

What this means for law firms, security teams, and clients

  • Law firms: Firms are the stated targets in the FBI's notice. The alerts underscore a dual threat — remote social-engineering plus physical access — and highlight the value attackers place on client and case data when crafting extortion demands.
  • Security teams and IT departments: The FBI's indicators center on unauthorized storage devices and impersonation of IT support. Security teams will need to track calls, phishing patterns, and any anomalous use of remote-access tools that precede a physical visit.
  • Clients of targeted firms: The FBI notes SRG will call victims' employees or clients as part of pressure tactics. Those contacted could face attempts to accelerate ransom negotiations or to confirm sensitive details for extortion leverage.

Independent reporting cited by the FBI adds another tactic: a May 2025 EclecticIQ report found the attackers register domains to impersonate IT helpdesk or support portals for major U.S. law firms and financial services firms, using typosquatted patterns. The FBI's flash alert follows a May 2025 private industry notification that SRG had been conducting callback phishing and social engineering against U.S. law firms for more than two years.

The FBI's notice is concise but consequential: it documents not only a sustained focus on legal and financial targets but also an escalation in methods to include hands-on, physical exfiltration. Whether that shift drives procedural changes at targeted firms — tighter vetting of on-site visitors, revised callback procedures, or changes in how remote-access requests are handled — is the immediate operational question left by the bulletin.

Source: BleepingComputer — FBI warns of Silent Ransom Group in-person data theft attacks