preloader

· security ransomware social-engineering

FBI Warns: Silent Ransom Group Now Sending Operatives In Person to Steal Data from Law Firms

Source: BleepingComputer

The Silent Ransom Group (SRG), a Russia-linked extortion gang that has targeted U.S. law firms since 2023, has moved beyond digital channels. The FBI issued a FLASH alert on May 26, 2026 warning that when remote social engineering attempts fail, SRG now sends a physical operative to the target’s office to gain hands-on access to systems. The operative plugs in a USB storage device and exfiltrates data directly.

How the attack chain works

The campaign begins with a phone call or phishing email. An SRG operative contacts a firm’s employees while impersonating the firm’s own internal IT department, directing the employee to open a remote desktop session framed as urgent maintenance, a security scan, or follow-up from a phishing awareness exercise.

When the remote route fails – when an employee is suspicious, hangs up, or simply does not cooperate – SRG does not abandon the target. It sends a person. The FBI’s alert states directly: “If that attempt fails, SRG sends a threat actor to the victim’s location to gain access to insert a storage device into the victim’s computer.”

That escalation from remote to physical is what makes SRG operationally unusual. Most financially motivated threat actors rely entirely on digital channels. Physical entry requires resources, planning, and a willingness to expose operatives to real-world risk, which signals both the group’s confidence and the high value it places on law firm data.

Scale and targets

More than 38 firms have already had data published on SRG’s public leak site, and researchers tracking the group put the total attack count above 100, with activity accelerating sharply in early 2026. In January 2026, Orrick, Herrington & Sutcliffe had client data posted publicly after declining the ransom demand. Jones Day and Wood Smith Henning & Berman faced comparable exposure in Q1 of this year.

Law firms are a high-value target for extortion groups. They hold sensitive client communications, litigation strategy documents, confidential merger and acquisition details, personal injury settlements, and often financial data from multiple industries. A single breach can affect dozens of the firm’s clients simultaneously, which creates leverage well beyond what most corporate targets can offer.

What the FBI says to watch for

The FBI alert identifies a short list of indicators that should be treated as high-priority warnings regardless of how plausible the explanation offered seems:

  • Unidentified individuals on premises claiming to be IT support, particularly those who arrived without an appointment or prior communication through verified internal channels
  • Unauthorized USB drives or external storage devices connected to company computers
  • Unexpected remote desktop session requests from someone claiming to be the internal helpdesk
  • Phishing emails referencing subscription charges with instructions to call a support number

The social engineering component is specifically designed to exploit the trust employees extend to their own IT teams. The request sounds internal and routine. Employees who follow standard instructions not to let strangers into server rooms are not necessarily trained to resist a phone call that uses internal terminology, references the right manager’s name, and frames the request as time-sensitive.

The broader lesson for professional services firms

Law firms are not alone in holding the kind of privileged, multi-party data that makes them valuable extortion targets. Accountancy practices, consulting firms, HR advisories, and any professional services business that handles confidential client matters faces the same risk profile.

Physical social engineering is not new, but combining it with a data-extortion model rather than a traditional ransomware deployment changes the calculus. There is no encrypted file prompt that alerts staff something went wrong. The data leaves quietly on a USB device, and the firm may not know until the leak site post appears.

Mitigating this class of attack requires layering physical and digital controls together: visitor management procedures that verify identity through a second channel before granting any access, strict policies on external device connections, endpoint controls that block unauthorised USB storage, and staff training that explicitly covers IT impersonation attempts both by phone and in person.

If you want help reviewing your firm’s security posture against social engineering and physical access risks, contact Excello Digital. We work with professional services organisations to identify gaps before an extortion group does.

Back to news

We’ll help you resolve your infrastructure challenges

Our team of experts is ready to help you with your infrastructure challenges. We’ll give you honest and personal treatment. Get in touch to learn more.

Get in touch!