The infamous extortion gang Silent Ransom Group (SRG) has been impersonating IT support in a fresh campaign targeting law firms, the FBI warns.

Active since at least 2022, SRG has been targeting law firms in the US since at least 2023, mainly through callback phishing emails and social engineering calls, claiming to aid victims in canceling subscription fees.

In a May 2025 alert, the FBI warned of SRG’s phishing emails containing links to remote access software that allowed the attackers to quickly exfiltrate data from the victims’ systems.

In attacks observed this year, the threat actor has updated its tactics, now posing as an employee from the victim’s IT department.

“SRG actors either directly call or send phishing emails to urge employees to call the SRG actor posing as IT support,” the Bureau says in a new alert (PDF).

During the call, the attackers direct the victim organizations’ employees to grant access to their machines through remote desktop sessions.

If the attempt fails, however, they send an individual posing as IT support in person to insert a device into the computer.

“In this scheme, the threat actor tells the victim they need to image the device or create a backup file to address potential impacts from the phishing email,” the FBI explains.

After gaining access to the machine, the attackers escalate their privileges and immediately proceed to exfiltrating data, without deploying file-encrypting ransomware.

For data exfiltration, SRG uses WinSCP (Windows Secure Copy), or a version of Rclone. In some instances, they copy the data to internal file-sharing platforms, including Google Drive and Microsoft OneDrive.

“By sending someone in-person to the victim’s location to facilitate the intrusion, SRG actors exfiltrate data to an external hard drive or USB drive inserted by the threat actor into the victim’s computer,” the FBI notes.

The group then extorts the victim, threatening to sell or publish the stolen data online. The threat actor also contacts the victims’ employees and clients to increase the pressure.

“Recent SRG campaigns left few artifacts on compromised machines. Traditional antivirus products are also unlikely to flag the intrusion because SRG generally uses legitimate system management or remote access tools to carry out the attack,” the FBI’s alert reads.

To prevent SRG attacks, organizations are advised to verify the credentials of all individuals with access to company assets, limit access to sensitive data, train employees to identify phishing attempts, and establish clear policies for IT support communication and authentication.

Backing up all company data, implementing phishing-resistant multi-factor authentication (MFA), blocking access to commonly exploited ports, and disabling remote access and permissions for external drive installation should also prevent intrusions and the loss of sensitive and confidential data.

This development highlights the increasing sophistication of cybercriminal groups that are willing to blend digital and physical attack vectors. The Silent Ransom Group, also known as SRG, first emerged in 2022 and quickly gained notoriety for its targeted extortion campaigns. Unlike many ransomware groups that focus on encrypting data, SRG prioritizes data theft and extortion without encryption, making detection difficult. Their primary targets have been law firms, which hold highly sensitive client information, making them lucrative victims. The use of in-person operatives adds a dangerous new dimension to social engineering. These operatives may be recruited locally or through criminal networks, and they impersonate legitimate IT personnel to gain physical access. The FBI’s alert emphasizes that organizations must not only secure their digital perimeters but also implement strict physical security protocols for anyone claiming to be from IT support. This includes verifying credentials through official channels, requiring two-factor authentication for physical access, and maintaining a culture of skepticism among employees.

Further background on the Silent Ransom Group indicates that they have previously used callback phishing campaigns, where victims receive emails about subscription renewals or fraudulent charges and are instructed to call a phone number. The call is answered by a threat actor who convinces the victim to install remote access software. This technique has been effective against law firms that may not have robust cybersecurity training. The new tactic of sending someone in person when remote attempts fail shows the group’s persistence and willingness to invest resources. It also increases the risk of physical confrontation or discovery. The FBI’s alert recommends that law firms and other organizations reconsider their visitor management policies, especially for IT-related visits. They should require pre-scheduled appointments and verify the identity of any technician before granting access to sensitive areas. Additionally, network segmentation could limit the damage if a device is compromised via USB.

The use of legitimate tools like WinSCP and Rclone for data exfiltration is a common technique among advanced threat actors, as it blends in with normal network traffic and often evades detection. The fact that SRG leaves few artifacts further complicates forensic investigations. Security teams are advised to monitor for unusual usage of these tools, especially if initiated by non-IT personnel. The FBI also notes that the group does not deploy ransomware in many cases, which may lead some organizations to underestimate the severity of the breach. However, the threat of data publication and the pressure on employees and clients can be just as damaging as a ransomware attack. The extortion letters often include samples of stolen data and threats to leak it publicly unless a ransom is paid. This double extortion tactic is common among modern cybercriminal groups.

Industry experts have commented on the significance of this advisory. Physical social engineering attacks are rare but highly effective when executed. They require the attacker to have some knowledge of the target’s infrastructure and personnel. The fact that SRG is willing to send operatives in person indicates they have a sophisticated operation and possibly a network of individuals on the ground. This could be a sign that cybercriminals are increasingly adopting hybrid attacks that combine cyber and physical elements. Organizations must adapt their security strategies accordingly. The FBI’s recommendations are comprehensive, but they emphasize that employee training is the first line of defense. If an employee is suspicious of an unsolicited IT visit, they can prevent the attack before it starts. Additionally, implementing strict access controls such as allowing only authorized external drives and disabling autorun features can mitigate the risk of USB-borne malware.

It is also worth noting that the FBI’s alert comes as part of a broader effort to raise awareness about the evolving tactics of ransomware groups. Law firms have been particularly targeted because they often hold large amounts of confidential data that can be used for extortion or sold on dark web markets. The financial sector and healthcare organizations are also frequent targets. The in-person approach adds a layer of risk for the attackers, but they may calculate that the potential payoff outweighs the risk of capture. Therefore, law enforcement agencies are likely increasing their focus on tracking down these operatives and the infrastructure behind SRG.

In light of these threats, organizations are encouraged to conduct regular security audits and penetration testing that includes physical social engineering scenarios. Red team exercises can help identify vulnerabilities in both digital and physical access controls. Collaboration with law enforcement and sharing of threat intelligence can also aid in disrupting groups like SRG. The FBI’s detailed breakdown of SRG’s tactics, techniques, and procedures provides valuable insights for defenders. By understanding how these attackers operate, security teams can better prepare and respond. The key takeaway is that cyber threats are no longer confined to the digital realm; physical intrusion is a growing vector that demands equal attention. As the line between cyber and physical security blurs, a unified approach is essential to protect sensitive information from determined adversaries like the Silent Ransom Group.

Source: SecurityWeek News