Full Report
The FBI warned on Tuesday that the Silent Ransom Group (SRG) extortion gang is now targeting U.S.-based law firms in in-person data theft attacks. [...]
Analysis Summary
# Threat Actor: Silent Ransom Group (SRG)
## Attribution & Identity
* **Primary Name:** Silent Ransom Group (SRG)
* **Aliases:** Luna Moth, Chatty Spider, UNC3753
* **Known Associations:** Formerly part of the Conti cybercrime syndicate; linked to BazarCall campaigns that provided initial access for Conti and Ryuk ransomware operations.
## Activity Summary
Since early 2023, SRG has aggressively targeted U.S.-based legal and financial institutions. As of Spring 2026, the group has escalated its tactics to include highly unconventional in-person data theft. The FBI reports that if remote social engineering attempts fail, the group dispatches physical actors to a victim's office location to gain direct access to hardware.
## Tactics, Techniques & Procedures
* **Callback Phishing:** Sending emails or making phone calls urging employees to contact a fraudulent IT support number.
* **Social Engineering:** Posing as internal IT department employees to gain trust.
* **Remote Access Exploitation:** Directing employees to grant access to a remote desktop session.
* **Physical Security Breach:** Dispatching actors to the victim's physical location to gain access to corporate devices.
* **Data Theft via Removable Media:** Inserting USB drives or external hard drives into devices to exfiltrate data (T1052.001).
* **Extortion:** Threatening to leak or sell stolen data; contacting the victim’s clients and employees directly to apply pressure for ransom negotiations.
* **Typosquatting:** Registering domains that impersonate legitimate IT helpdesks of major law and financial firms.
## Targeting
* **Sectors:** Legal (Law Firms), Financial Services.
* **Geography:** United States.
* **Victims:** Major U.S.-based law firms and financial services firms.
## Tools & Infrastructure
* **Remote Access Tools:** Use of legitimate remote desktop software to maintain access.
* **Hardware:** Unauthorized USB drives and external hard drives.
* **Infrastructure:** Typosquatted domains mimicking corporate IT portals (e.g., [subdomain].legalfirmname[.]com).
## Implications
SRG represents a significant evolution in the threat landscape by bridging the gap between cyber and physical security. Their willingness to deploy personnel to physical office locations indicates a high level of operational maturity and a shift away from traditional, purely remote cybercrime. This tactic bypasses many standard network security controls (MFA, Firewalls, EDR) by exploiting physical trust and hardware access.
## Mitigations
* **Physical Security:** Implement strict visitor management protocols and enforce the use of identification badges. Restrict unauthorized personal access to work areas.
* **Device Control:** Implement "USB Lockdown" or Device Control policies via EDR/UEM to prevent the mounting of unauthorized external storage devices.
* **Employee Awareness:** Train staff to verify IT support requests via internal, known communication channels (e.g., official Slack/Teams or corporate directories) and to never grant remote access to unsolicited callers.
* **Verification:** Encourage employees to report any "IT personnel" who appear on-site without prior scheduling or proper corporate credentials.