FBI Warns Silent Ransom Group Sends Fake IT Workers to Law Firms

2 min readSources: TechCrunch

FBI and Google warn the Silent Ransom Group sends fake IT workers to law firms for data theft.

Why it matters: Legal cybersecurity teams must watch for in-person social engineering targeting sensitive client and firm data. This marks an escalation from remote hacking to physical infiltration, increasing risks to law firm security and client confidentiality.

  • Silent Ransom Group (SRG) active since 2022, targeting U.S. law firms among others.
  • Since Spring 2026, SRG sends impostors posing as IT staff to enter law firm offices physically.
  • SRG steals data using tools like WinSCP, then extorts victims by threatening disclosure.
  • FBI issued FLASH alert on May 26, 2026, detailing SRG tactics and defense recommendations.

The Silent Ransom Group (SRG), also known by aliases such as Luna Moth and UNC3753, has evolved its attack methods. Operating since at least 2022, SRG targets law firms, insurance, finance, and healthcare sectors in the United States. Traditionally, the group used remote tactics like phishing emails and phone calls to impersonate IT support and gain remote system access. The FBI's May 26, 2026 FLASH alert highlights SRG's recent escalation: sending operatives in person to law firm offices pretending to be IT personnel.

Once inside, these impostors physically access computers and extract sensitive data using file transfer tools like WinSCP or Rclone. The stolen data is then used to extort victims by threatening to sell or leak the information. The breach of physical security alongside cyber intrusion represents a sophisticated and dangerous threat vector for firms handling sensitive legal matters.

Charles Carmakal, Mandiant's CTO, emphasized the increasing trend of adversaries planting insiders or gaining physical entry to aid cyberattacks, underscoring this development as part of a broader shift in cybercrime tactics.

Law firms must enhance internal security protocols and employee training to identify and verify any IT support personnel. Vigilance against in-person social engineering attempts is now critical to protect client data and firm integrity.

By the numbers:

  • 2022 — Silent Ransom Group active since this year
  • May 26, 2026 — FBI issued FLASH alert on SRG in-person attacks
  • January to May 2026 — dozens of victims targeted by SRG