The threat group known as Silent Ransom Group (SRG) is increasingly relying on a combination of digital social engineering and physical facility access to help unauthorized data exfiltration. Recent intelligence indicates the group is impersonating internal IT personnel to gain access to law firms and other organizations.
According to a warning published by the FBI's Internet Crime Complaint Center (IC3), SRG has maintained a focus on law firms since spring 2023. Operating since 2022, the group has also affected organizations in the insurance, finance, and healthcare sectors.
SRG, tracked by the security community under aliases including Luna Moth, Chatty Spider, and UNC3753—relies heavily on behavioral manipulation. The FBI advisory details that SRG operators pose as IT support staff via phone calls and phishing emails. Their objective is to establish access to corporate computers and exfiltrate data, typically by guiding personnel to install legitimate remote access tools. When remote methods are unsuccessful, the group has escalated to sending individuals in person to the organization's location to gain physical access to workstations.
The legal sector's exposure to these methods is notable. Cynthia Kaiser, SVP of Halcyon's Ransomware Research Center, observes that the legal industry was the fourth most frequently affected sector by extortion groups in the first months of 2026. She notes that law firms manage highly sensitive client information and face regulatory pressure to resolve security incidents quickly, making them highly motivated to protect attorney-client privilege and confidential case materials.
SRG operates on a pure data extortion model. Rather than deploying encryption software to lock systems, the traditional definition of ransomware—the group focuses exclusively on data exfiltration. The operators pressure affected organizations by threatening to expose sensitive data on public leak sites or transfer it to other unauthorized parties.
Historically, the group initiated contact by sending phishing emails regarding fake subscription renewals. When personnel called the provided customer service number to cancel the non-existent charge, English-speaking operators would instruct them to download remote access software. By relying on legitimate administrative tools, the group bypassed the need for complex vulnerability exploitation.
Evolution of social engineering tactics
Recent FBI observations highlight an expansion in SRG's methodology. Operators now proactively contact personnel via phone or email, posing as members of the organization's own IT department. They urge personnel to grant access to a remote desktop session. If the remote social engineering effort fails, SRG may deploy an unauthorized individual to the physical location to insert a storage device directly into a workstation.
In these physical access scenarios, the unauthorized individual typically informs personnel that they need to image the device or create a backup to resolve an issue caused by a phishing email. Once access is established, the operators perform minimal privilege escalation and immediately begin data exfiltration.
For data transfer, the group utilizes Windows Secure Copy (WinSCP) or customized versions of Rclone, an open-source command-line tool for managing and syncing files. Depending on the environment, data is transferred to cloud platforms like Google Drive and Microsoft OneDrive, or directly to external storage devices inserted during physical access.
Kaiser describes the shift toward physical, in-person operations as a highly unusual development, particularly given SRG's history of operating remotely via organized call centers. She notes that the group is assessed to operate primarily including Russia and has not faced infrastructure disruptions to date. This makes the physical deployment of personnel and law firm offices an anomalous operational choice, though specific geographic details regarding the affected firms have not been disclosed.
Following data exfiltration, SRG contacts the organization with extortion demands. To increase pressure, the group frequently contacts employees or clients of the affected organization directly.
Indicators and recommended safeguards
While social engineering is an established methodology, novel delivery frameworks require sustained attention from security teams. The 2026 Verizon Data Breach Investigations Report identifies social engineering as the third most frequent initial access vector, emphasizing the ongoing effectiveness of these techniques.
Security teams can monitor for several indicators associated with SRG's activity:
- New, unauthorized installations of system management or remote access tools
- Unauthorized connections of USB drives or external hard drives
- WinSCP or Rclone connections initiating transfers to external IP addresses
- Unidentified individuals attempting to access hardware while claiming to represent IT support
To protect systems and data from this evolving methodology, the FBI recommends organizations implement the following controls:
Require strict identity verification for all individuals entering company spaces, including checking physical ID cards.
Enforce phishing-resistant multifactor authentication (MFA) across all possible services.
Maintain ongoing security training to help personnel identify, resist, and report sophisticated phishing and vishing attempts.
Where operational requirements permit, disable remote access capabilities and external drive installation permissions on workstations handling highly sensitive or confidential data.