FBI Warns: Silent Ransom Group Now Sends Attackers In Person to Steal Data

The FBI issued a flash alert warning that Silent Ransom Group (SRG) has escalated its attack methods against U.S.-based law firms. Beyond phishing emails and fake IT support calls, SRG now sends physical threat actors directly to victim offices to steal data from company computers.

FBI Warns: Silent Ransom Group Now Sends Attackers In Person to Steal Data

This shift marks a significant change in how cybercriminal groups operate. Most data theft campaigns rely entirely on remote access. SRG has added physical presence to its toolkit, making it one of the few extortion groups that combines digital social engineering with in-person intrusion.

What Is Silent Ransom Group?

Silent Ransom Group, also tracked as Luna Moth, Chatty Spider, and UNC3753, has been active since at least 2022. The group focuses on data theft and extortion rather than traditional ransomware encryption.

SRG separated from the Conti ransomware syndicate in March 2022 following Conti’s shutdown. The FBI has linked the same actors to BazarCall campaigns that provided initial network access for both Conti and Ryuk ransomware operations. Since early 2023, the group has consistently targeted U.S.-based law firms and financial organizations.

Unlike ransomware groups that encrypt files and demand payment for decryption keys, SRG steals data and threatens to sell or publicly release it unless the victim pays a ransom.

How the Silent Ransom Group Attack Chain Works

SRG updated its playbook as of Spring 2026. The attack follows a multi-stage social engineering sequence that escalates from a phone call all the way to a physical office visit.

Stage 1: Initial Contact

SRG actors call employees directly or send phishing emails. The messages use IT helpdesk, billing, subscription, or invoice-themed lures to create urgency. The goal is to get the target employee on a phone call with someone posing as internal IT support.

Researchers at EclecticIQ noted in a May 2025 report that SRG registers typosquatted domains that impersonate IT helpdesk portals for major U.S. law firms and financial services companies. These domains add visual credibility to the phishing emails.

Stage 2: Remote Access Attempt

Once on the call, the fake IT support representative directs the employee to grant remote desktop access. SRG actors use legitimate remote access tools including Zoho Assist, Quick Assist, AnyDesk, RustDesk, Syncro, Splashtop, and Atera to establish the session.

Because these tools are legitimate software used by real IT departments, traditional antivirus products rarely flag the intrusion. The FBI warns that detecting these tools alone should not be treated as confirmation of an SRG attack without additional analytical evidence.

Stage 3: In-Person Escalation

If the remote access attempt fails, SRG sends a threat actor physically to the victim’s office. The attacker presents themselves as an IT support technician and claims to need access to the device to image it or create a backup file to address a phishing-related issue.

Once inside, the attacker inserts a USB drive or external hard drive directly into the victim’s computer and copies data to the device. The FBI flash alert (PDF) classifies this technique as MITRE ATT&CK T1052.001: Exfiltration over USB, which covers adversaries who exfiltrate data over a USB-connected physical device, including in scenarios involving air-gapped networks.

Stage 4: Data Exfiltration

Whether through remote access or physical presence, SRG exfiltrates data using:

  • WinSCP (Windows Secure Copy)
  • Rclone, sometimes hidden or renamed to avoid detection
  • Microsoft OneDrive or Google Drive for cloud-based staging

SRG actors minimize privilege escalation and move quickly to exfiltration without any encryption step, which means traditional ransomware detection rules will not fire.

Stage 5: Extortion

After exfiltrating data, SRG sends a ransom email threatening to post or sell the stolen files. The group also calls employees and clients of the victim company directly to pressure the organization into beginning ransom negotiations. SRG maintains a public leak site at business-data-leaks[.]com where it publishes victim data to demonstrate that its threats are credible.

MITRE ATT&CK Mapping for SRG

The table below summarizes the key MITRE ATT&CK techniques the FBI attributes to SRG activity:

TacticTechniqueSRG Activity
Initial AccessT1566: PhishingCallback phishing with invoice, billing, or IT-themed lures
Social EngineeringT1598.004: Voice PhishingActors impersonate internal IT support by phone
ExecutionT1219: Remote Access SoftwareLegitimate tools establish interactive access
Credential AccessT1078: Valid AccountsActors may use victim credentials to access email or cloud services
CollectionT1560: Archive Collected DataData staged or compressed before exfiltration
CollectionT1530: Data from Cloud StorageTheft from Microsoft 365, OneDrive, and Google Drive
ExfiltrationT1567: Exfiltration Over Web ServiceStolen data uploaded to cloud platforms
ExfiltrationT1052.001: Exfiltration to Removable MediaUSB or external hard drive insertion during in-person visits
ImpactT1657: Financial Theft / ExtortionThreats to publish or sell stolen data

Indicators of Compromise

SRG attacks leave few artifacts on compromised machines. Watch for the following warning signs in your environment:

  • Unauthorized downloads of remote access tools including Zoho Assist, Quick Assist, AnyDesk, RustDesk, Syncro, Splashtop, or Atera
  • Unauthorized installation of external hard drives or USB drives on company computers
  • WinSCP or Rclone connections to external IP addresses
  • Data exfiltration alerts involving Microsoft OneDrive, Google Drive, or unknown external servers
  • Unidentified individuals claiming to be IT support and attempting to access computers in person
  • Ransom emails, phone calls, or voicemails from an unnamed group claiming to have stolen company data
  • Employees receiving unsolicited calls from individuals falsely claiming to work in the company’s IT department
  • Emails or calls to clients stating that their data has been stolen

How to Defend Against Silent Ransom Group

The FBI recommends the following defensive measures. Organizations should treat these as a layered set of controls rather than a single solution.

Physical security:

  • Verify the credentials and ID of every individual who accesses company spaces
  • Treat any unsolicited visit from someone claiming to be IT support as suspicious until verified through an independent channel
  • Establish a clear process for employees to challenge and report unexpected IT visitors

Technical controls:

  • Require phishing-resistant multi-factor authentication (MFA) for as many services as possible
  • Disable remote access and external drive installation permissions on computers that handle sensitive or confidential data
  • Block access to port 22 where possible to limit encrypted remote access and file transfer channels
  • Deploy data loss prevention tools to detect and block sensitive data transfers to USB devices or cloud storage

Policy and training:

  • Develop clear written policies on how IT support communicates and authenticates with employees
  • Train staff to identify, resist, and report phishing attempts and suspicious phone calls
  • Require employees to verify IT support identity through a second channel before granting any remote access
  • Maintain regular backups of company data stored in an isolated environment

Because SRG attacks rely almost entirely on social engineering and impersonation, employee awareness is one of the strongest defenses available. Tactics like these overlap significantly with AI security scams that use voice and text impersonation to bypass technical defenses entirely.

What to Report to the FBI

If your organization has received contact from SRG or suspects an active intrusion, the FBI requests the following information where legally permissible:

  • A copy of any ransom note received
  • Phone numbers or email accounts used by the threat actor
  • Transcripts or voicemails from communications with the threat actor
  • The original callback message or phishing email
  • Cryptocurrency wallet information if a payment demand was issued
  • Any surveillance video or photos of individuals who posed as IT support

Submit reports through the Internet Crime Complaint Center at IC3.gov.

FAQs

What is Silent Ransom Group?

Silent Ransom Group (SRG), also known as Luna Moth, Chatty Spider, and UNC3753, is a cybercrime gang active since at least 2022. The group targets U.S. law firms and financial organizations through social engineering, data theft, and extortion. SRG does not encrypt files. It steals data and threatens public release or sale unless the victim pays a ransom.

How does Silent Ransom Group gain access to victim networks?

SRG uses callback phishing emails and direct phone calls to impersonate IT support staff. Attackers convince employees to grant remote desktop access using legitimate tools like AnyDesk or Quick Assist. If the remote attempt fails, SRG sends a physical agent to the target’s office to insert a USB drive or external hard drive directly into a company computer.

Why does SRG target law firms specifically?

Law firms hold sensitive client data including legal strategy documents, financial records, and confidential communications. This data carries high extortion value because victims face serious reputational and legal exposure if the information goes public. The FBI notes that SRG has consistently targeted U.S.-based law firms since Spring 2023.

What remote access tools does Silent Ransom Group use?

SRG uses legitimate tools including Zoho Assist, Quick Assist, AnyDesk, RustDesk, Syncro, Splashtop, and Atera. These tools do not trigger antivirus alerts because they are widely used for legitimate IT support. The FBI cautions against attributing their presence as malicious without supporting analytical evidence.

How do I report a Silent Ransom Group attack?

Report the incident to the FBI through IC3.gov. Preserve ransom notes, phishing emails, phone call transcripts, and any surveillance footage of individuals who claimed to be IT support during the intrusion.

Leave a Comment

Comments

No comments yet. Why don’t you start the discussion?

    Leave a Reply