Ransomware Actors Show Up In Person to Steal Law Firm Data TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsThreat IntelligenceAI-Assisted Exploit Development Outpaces Scanner DetectionAI-Assisted Exploit Development Outpaces Scanner DetectionbyElizabeth MontalbanoMay 27, 20265 Min ReadApplication SecurityFeeding Frenzy: 'Megalodon' Malware Infects Thousands of GitHub ReposFeeding Frenzy: 'Megalodon' Malware Infects Thousands of GitHub ReposbyRob WrightMay 26, 20264 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLDR20ResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite PapersHeard It From a CISOReporters' NotebookPartner PerspectivesMeet the EditorsAdvertise With Us About UsDark Reading Resource LibraryCyberattacks & Data BreachesThreat IntelligenceInsider ThreatsPhysical SecurityNewsRansomware Actors Show Up In Person to Steal Law Firm DataThe FBI warned that the extortion gang Silent Ransom Group is targeting law firms and socially engineering its way into servers and databases.Alexander Culafi,Senior News Writer,Dark ReadingMay 27, 20264 Min ReadSource: Liubomyr Vorona via Alamy Stock PhotoThe Silent Ransom Group (SRG) is impersonating IT personnel to target law firms via social engineering. In some cases, the threat actors have appeared before the victim in person. The FBI's Internet Crime Complaint Center (IC3) yesterday published a warning that SRG has targeted law firms since spring 2023. The group has been active since 2022, and has victimized other sectors including insurance, finance, and healthcare. SRG — which also goes by Luna Moth, Chatty Spider, and UNC3753 — has targeted law firms in a variety of ways. According to the FBI's advisory, SRG actors pose as IT support through phone calls and phishing emails "to establish access to victim computers and exfiltrate data, usually through legitimate remote access tools or by sending an individual in person to the victim company's location to gain physical access to computers."Cynthia Kaiser, SVP of Halcyon's Ransomware Research Center, tells Dark Reading that Halcyon identified the legal sector as the fourth most targeted industry by ransomware actors in the first months of 2026. "Law firms are an attractive target due to the sensitivity of client data, regulatory pressure to resolve incidents quickly, and a perceived willingness to pay ransoms to protect attorney-client privilege and confidential case materials," she says.Related:Latin American Cybercriminals Hoover Up Government DataSRG is known for conducting data theft extortion attacks, where the threat actor steals data and makes ransom demands akin to a ransomware attack, but bypasses the encryption piece that originally defined ransomware. In these cases, the actor threatens to leak data (usually through a Dark Web leak site or through a sale to another cybercriminal) and uses that to pressure the victim. Originally, attackers sent phishing emails claiming the victim owed a subscription fee of some kind. To cancel the non-existent subscription, the victim would be instructed to call the threat actor who would then send the victim a link to download remote access software. Once the attacker is remotely connected, things like vulnerability exploitation or complex attack chains become unnecessary.Silent Ransom Group's Tactics EvolveThe FBI notes that attack methods recently expanded. SRG actors pose as an employee from the victim's IT department and call or send an email to the victim; the victim is urged to grant the fake employee access to a remote desktop session. If that fails, "SRG sends a threat actor to the victim's location to gain access to insert a storage device into the victim's computer."Related:Processes & Culture Top Reasons Behind Data Breaches"In this scheme, the threat actor tells the victim they need to image the device or create a backup file to address potential impacts from the phishing email," the FBI said. "Once the threat actor obtains access to the victim's device, they minimally escalate privileges and quickly pivot to data exfiltration without encryption."To do this, the threat actors use Windows Secure Copy (WinSCP) or a hidden or renamed version of Rclone, an open source command-line program that manages and syncs files. Depending on the circumstance, data is exfiltrated to filesharing platforms like Google Drive or Microsoft OneDrive, or a physical disc, like an external hard drive or USB drive inserted by the threat actor into the victim's computer. Kaiser calls the move to in-person threat activity "an incredibly rare and concerning development," as SRG historically used professional, English-speaking call center professionals.  Regarding Silent Ransom Group, Kaiser adds that the group has faced no arrests or infrastructure disruptions to date and likely operates from Russia. That would make the move to target law firms in-person a doubly strange endeavor, though the FBI offers no details about where the victim law firms are located. How to Stop Silent Ransom GroupOnce data is stolen, the attacker sends a ransom email to the victim threatening to sell or post the data to its public-facing website. SRG will also call employees or clients of the victim organization to pressure them for payment.Related:Windows Zero-Day Barrage Continues After Patch TuesdayIndicators of an SRG attack may include new, unauthorized downloads of system management or remote access tools; unauthorized installations of USB drives or external hard drives; a WinSCP or Rclone connection made to an external IP address; or unidentified, unauthorized individuals attempting to access computers and claiming to be IT support. While social engineering attacks aren't new, organizations should take serious note when novel social engineering frameworks come around. Verizon's 2026 Data Breach Investigations Report showed social engineering as the third most popular breach vector, showing attackers continue to find success with methods like SRG's.The FBI recommends organizations verify the identity of all individuals entering company spaces, including getting a copy of their ID card; requiring phishing-resistant multifactor authentication (MFA) for as many services as possible; training employees to identity, resist, and report phishing attempts; and "if possible, disable remote access and external drive installation permissions on company computers with access to sensitive or confidential data."About the AuthorAlexander CulafiSenior News Writer, Dark ReadingAlex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. At Dark Reading, he covers a variety of cybersecurity topics, including the cybercrime ecosystem, open source security, and the intersection between AI and threat actors. In his spare time, Alex hosts the weekly Nintendo podcast, "Talk Nintendo Podcast," and works on personal writing projects, including two previously self-published science fiction novels.He has received numerous awards, including TechTarget's Writer of the Year in 2022 as well as more than 10 Azbee awards for his reporting between 2022 and today. See more from Alexander CulafiWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Organizations Are Managing Incident ResponseHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyEssential News & Insights from Black Hat USA 2025How Enterprises Are Harnessing Emerging Technologies in CybersecurityAccess More ResearchWebinarsBuild vs. Buy: The Hidden Cost of Building Your Own AI Security StackDefending in the Shadow Era: When the CVE Feed Goes DarkBuilding SecOps That Make the Most of Every DollarAI-Powered Cybersecurity for Resource-Constrained OrganizationsAI-Powered Credential Security: Intelligence Without ExposureMore WebinarsEditor's ChoiceCybersecurity Operations20 Leaders Who Built the CISO Era: 2 Decades of Change20 Leaders Who Built the CISO Era: 2 Decades of ChangebyDark Reading Editorial TeamMay 12, 202641 Min ReadApplication SecurityIt's Patch Tuesday for Microsoft & Not a Zero-Day In SightIt's Patch Tuesday for Microsoft & Not a Zero-Day In SightbyJai VijayanMay 12, 20265 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsBuild vs. Buy: The Hidden Cost of Building Your Own AI Security StackThurs, June 25, 2026, at 1pm ESTDefending in the Shadow Era: When the CVE Feed Goes DarkTues, June 16, 2026 at 1pm ESTBuilding SecOps That Make the Most of Every DollarThurs, July 9, 2026 at 1pm ESTAI-Powered Cybersecurity for Resource-Constrained OrganizationsThurs, June 18, 2026, at 1pm ESTAI-Powered Credential Security: Intelligence Without ExposureWed, June 17, 2026, at 1pm ESTMore WebinarsBlack Hat USA | Mandalay Bay, Las VegasThe premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.GET YOUR PASSDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of UseYour Privacy Choices

The Silent Ransom Group (SRG) has been identified by the FBI as an extortion gang that targets law firms, employing sophisticated social engineering tactics to infiltrate systems and exfiltrate sensitive data. This group has been active since 2022 and has victimized various sectors including insurance, finance, and healthcare, with the FBI warning that law firms are among the most targeted due to the sensitivity of client data, regulatory pressures, and the perceived willingness of victims to pay ransoms to protect attorney-client privilege.

SRG actors utilize impersonation to gain access. Historically, they have operated by posing as IT support personnel through phone calls and phishing emails to obtain remote access software. More recently, attack methods have evolved to include physical presence. In some instances, threat actors have appeared in person at the victim's location to gain direct physical access to computers, often establishing access through legitimate remote access tools or by inserting storage devices.

The method of data theft extortion employed by SRG differs from traditional ransomware, as the actors focus on data theft and threat to leak the information rather than encrypting files. Initially, attackers would use phishing emails falsely claiming subscription fee obligations to trick victims into downloading remote access software. Once access was established, attackers would minimize privilege escalation, pivot quickly to data exfiltration without encryption, and utilize tools such as Windows Secure Copy (WinSCP) or Rclone to move data to external platforms like Google Drive or physical storage media.

Cynthia Kaiser, SVP of Halcyon's Ransomware Research Center, noted that the move toward in-person threat activity is an exceptionally rare and concerning development, especially considering SRG's historical use of professional, English-speaking call center professionals, suggesting potential operational links, possibly to Russia.

Indicators of a potential SRG attack include unauthorized downloads of system management or remote access tools, the unauthorized installation of external drives, the detection of WinSCP or Rclone connections to external IP addresses, or unidentified individuals attempting to access systems while claiming to be IT support. While social engineering remains a persistent breach vector, the FBI’s 2026 Data Breach Investigations Report indicates that social engineering continues to be a highly successful method for attackers.

In response to these threats, the FBI recommends several defensive measures for organizations. These recommendations include verifying the identity of all personnel entering company premises, mandating phishing-resistant multifactor authentication for all services, training employees to recognize, resist, and report phishing attempts, and disabling permissions for remote access and external drive installation on computers that access sensitive or confidential data.