Skip to main content
Emerging ThreatsMalware & Ransomware

Silent Ransom Group Escalates Tactics with In-Person IT Impersonation

Person in fake IT uniform stands near reception desk in corporate office.

Since 2023, US-based law firms have been repeatedly targeted by the Silent Ransom Group (SRG), the FBI says — a threat actor now moving from remote trickery to direct, in-person impersonation of IT staff to gain access to corporate systems.

Who Silent Ransom Group is and who it hits

The FBI describes Silent Ransom Group (SRG), also tracked under the names Luna Moth, Chatty Spider and UNC3753, as a persistent adversary that has "consistently targeted US-based law firms since 2023." The Bureau also notes victims in insurance, finance and healthcare. SRG’s activity has evolved over time, and the agency warned that the group’s newer techniques were observed as of spring 2026.

How the social-engineering playbook has changed

Historically, SRG used phishing messages that purportedly charged small "subscription fees" to trick recipients into calling a provided number. Victims who called were then sent a link that led them to download remote access software — a tactic previously documented by Palo Alto Networks Unit 42 in 2022 as "callback and telephone-oriented attack delivery (TOAD)." Unit 42 reported that the campaign had already cost victims hundreds of thousands of dollars.

The FBI says SRG has escalated. Actors now impersonate the victim organization’s IT staff, contacting employees directly via phone or phishing email and urging them to call what appears to be internal support. On the call, employees are instructed to grant a remote desktop session. If that remote route fails, SRG will send an actor to the victim’s physical site to insert a storage device into a company computer, claiming it is needed to image the device or create a backup to remediate the phishing incident.

What SRG does once it has access

After gaining access, SRG actors deliberately perform minimal privilege escalation and then quickly pivot to extracting data rather than encrypting systems. For exfiltration they rely on legitimate or common tools — the FBI points to Windows Secure Copy (WinSCP) and hidden or renamed versions of "Rclone" — and they also move data to internal filesharing platforms such as Google Drive or Microsoft OneDrive. When access is obtained in-person, exfiltration may occur to an external hard drive or USB device.

Why conventional defenses can miss these intrusions

The FBI cautions that traditional antivirus products are unlikely to flag SRG intrusions because the group uses legitimate system management and remote access tools to carry out their activity. The social-engineering element — convincing employees to accept remote sessions or to permit physical insertion of storage media — bypasses purely technical controls and leverages human trust in supposed IT personnel.

What this means for law firms, IT/security teams, and employees

  • Law firms and affected enterprises: Verify credentials for any individual accessing company spaces and obtain copies of visitor ID cards; limit access to sensitive data from less secure networks; and develop clear, communicated policies on how IT support will authenticate and contact staff.
  • IT and security teams: Require phishing-resistant multi-factor authentication (MFA) for as many services as possible; consider blocking access to port 22 where feasible; and, where possible, disable remote access and external drive installation permissions on machines that handle sensitive or confidential data.
  • Employees and on-site staff: Be trained to resist and report phishing attempts, to request verification before granting remote sessions, and to follow procedures that prevent in-person actors from inserting or connecting unvetted storage devices.

The FBI’s guidance centers on strengthening basic cyber hygiene — robust passwords, MFA, up-to-date antivirus tools — alongside operational steps that directly address SRG’s techniques: verifying on-site visitors, constraining network and device permissions, and formalizing how IT staff will authenticate themselves to employees. These are practical measures tailored to a group that now blends remote social engineering with physical presence.

Silent Ransom Group’s shift from telephone callback scams to in-person IT impersonation exposes a familiar truth: when attackers exploit human trust and legitimate tools, the line between cyber and physical security blurs. The FBI’s checklist offers concrete fixes; whether affected organizations will implement them consistently across offices and networks remains the pressing question.

Original reporting: https://www.infosecurity-magazine.com/news/silent-ransom-group-it/