Silent Ransom Group Sends Operatives In-Person to Steal Law Firm Data

The FBI issued a flash alert on May 26, 2026, warning that the Silent Ransom Group (SRG) — also known as Luna Moth, Chatty Spider, and UNC3753 — has escalated its attack methodology to include sending human operatives physically into victim organizations to steal data when remote social engineering fails. The group has specifically targeted U.S.-based law firms and legal services organizations, with 38 firms' data already posted publicly on SRG's leak site and 134 documented ransomware-linked incidents against legal sector organizations in Q1 2026 alone. Unlike traditional ransomware groups, SRG deploys no encryption, no malware, and no ransomware payloads — making detection by conventional endpoint security tools nearly impossible.

// 01 Silent Ransom Group: Technical Details

The Silent Ransom Group (SRG) is a data-extortion-only criminal operation that has evolved its social engineering techniques to the point of requiring physical presence at victim sites. SRG's core model is to steal sensitive data and threaten to publish it unless a ransom is paid — without ever deploying the file-encrypting malware that most organizations have trained their defenses to detect.

SRG's attack chain as of Spring 2026 operates in two phases:

Phase 1 — Remote Social Engineering:

• SRG actors identify an employee at the target organization — typically a non-technical staff member rather than IT personnel
• Actors call the target employee directly, posing as a member of the internal IT department or IT support vendor
• The fraudulent IT caller creates a pretext requiring "urgent" remote support (e.g., account security review, software update, policy compliance)
• The caller directs the employee to grant remote desktop access using legitimate tools (RDP, AnyDesk, TeamViewer, or similar)
• Once remote access is established, SRG actors navigate file systems and exfiltrate sensitive client files, case documents, privileged communications, and personal data

Phase 2 — In-Person Fallback (new capability as of Spring 2026): If Phase 1 fails — because the employee refuses remote access, because the target organization has security policies against remote desktop sessions initiated by inbound callers, or because the call is identified as suspicious:

• SRG sends a human operative to the victim's physical office location
• The operative poses as an IT technician or support contractor
• The operative gains access to the office through social engineering of reception staff
• Once at a workstation, the operative inserts a USB storage device and exfiltrates data directly
• The operative leaves without triggering any security alert, because no malware was executed

The absence of malware is SRG's most distinguishing and dangerous characteristic. There are no ransomware payloads to detect, no encrypted file extensions to alert on, no splash screens demanding payment. Victim organizations' IT systems continue to function normally. Desktops do not lock. Users experience no visible disruption. By the time SRG's extortion demand arrives, the stolen data has been off-premises for days or weeks.

// 02 Exploitation Status and Threat Landscape

SRG has been tracked since at least 2022 under the Luna Moth alias, initially focusing on IT helpdesk social engineering — a technique the group has refined over three years. The January 2026 breach of Orrick, Herrington & Sutcliffe — a global law firm with over 25 offices and more than $1.5 billion in annual revenue — resulted in the firm's data being posted publicly after it declined to pay SRG's ransom demand. This high-profile incident signaled that SRG had the operational confidence to target even the most prestigious firms in the legal sector.

Halcyon, the cybersecurity firm tracking SRG most closely, documented 134 ransomware incidents against law firms and legal services organizations in Q1 2026 alone — making legal the fourth-most targeted industry globally, accounting for more than 6% of all ransomware attacks in the quarter. SRG and the INC ransomware-as-a-service operation are cited as the primary drivers of this surge.

The in-person component of SRG's operations has no parallel in documented threat actor behavior. It represents a convergence of physical social engineering (traditionally associated with low-tech fraud operations) and data-focused extortion (a cybercriminal business model). Law enforcement has not publicly attributed specific arrests to SRG's in-person operatives, and it is unclear whether the individuals physically visiting offices are core SRG members or contractors.

// 03 Who Is Affected

Law firms and legal services organizations are the primary targets. Legal files represent one of the most sensitive data categories in any economy: attorney-client privileged communications, litigation strategies, M&A transaction details, criminal defense files, and personal information for millions of individual clients. SRG understands this leverage — the reputational and legal consequences of a law firm's privileged communications being published are catastrophic, creating strong motivation to pay.

Healthcare and financial services organizations have also been targeted by SRG/Luna Moth in prior campaigns, though the current FBI flash alert focuses specifically on legal sector targeting.

Any organization with inadequate visitor control policies is potentially vulnerable to the in-person attack variant — particularly those where IT contractors routinely visit offices without pre-verification, where reception staff are not trained to challenge unexpected technical visitors, or where workstations can be accessed without requiring employee authentication in the physical presence of the user.

// 04 What You Should Do Right Now

• Implement a callback verification policy for IT support. Any inbound call claiming to be from IT support should be verified by hanging up and calling the IT team back using a number from the internal directory — not a number provided by the caller. This single control defeats most Phase 1 social engineering.
• Train all staff on IT impersonation tactics. Non-technical employees are the primary targets. They should know that IT will never call them to request remote access, and that any such request should trigger a verification call.
• Restrict unauthorized remote desktop sessions. Configure Group Policy to prevent employees from granting remote access to callers who initiate inbound contact. Legitimate IT support sessions should be initiated from IT systems, not in response to inbound requests.
• Implement physical security controls for IT access. Visitor management systems should require photo ID, appointment verification, and an internal sponsor for any unannounced technical visit. USB port restrictions (using endpoint management tools like Microsoft Intune or Jamf) prevent physical data theft via removable storage.
• Disable USB mass storage on all user workstations. This is achievable through Group Policy (Windows) or MDM profiles (macOS):

# Disable USB mass storage via Group Policy (Windows)
# Computer Configuration → Administrative Templates → System → Removable Storage Access
# Set "All Removable Storage classes: Deny all access" to Enabled

• Review your data exfiltration monitoring. Since SRG does not use malware, conventional AV/EDR alerts will not fire. Focus on DLP (Data Loss Prevention) tools that monitor large file transfers and bulk access to document repositories.

// 05 Background: Understanding the Risk

SRG's evolution from pure phone-based social engineering to in-person operations reflects a maturation of the data-extortion model that began with the Cl0p and ALPHV ransomware groups' move away from encryption toward pure data theft. The logic is sound from an attacker's perspective: encryption is detectable, reversible (from backups), and increasingly illegal to pay ransoms for. Data theft with publication threats is invisible until the ransom demand arrives, cannot be reversed by restoring from backup, and creates legal privilege and reputational damages that motivate payment regardless of law enforcement guidance.

The legal sector is the ideal SRG target for the same reasons it is a high-value target for any attacker: law firms hold privileged information for multiple high-value clients in a single location, often have security infrastructure that lags the corporate sector, and have unique legal and reputational obligations around client confidentiality that make data publication an existential threat.

The FBI flash alert is available publicly at IC3.gov. Organizations in the legal sector should treat this as a high-priority advisory and immediately audit their IT callback verification policies, physical visitor management procedures, and USB storage controls.

// 06 Conclusion

The Silent Ransom Group has extended its data-extortion operations from phone-based IT impersonation to sending human operatives physically into victim offices to steal data via USB drives when remote social engineering fails. With 134 legal sector incidents in Q1 2026 and 38 firms' data already published, SRG represents a severe and actively escalating threat. The most critical immediate controls are inbound IT call verification policies, USB port blocking on user workstations, and physical visitor management procedures — defenses that no amount of malware detection capability can replace.