TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events DR20 Resources CYBERATTACKS & DATA BREACHES THREAT INTELLIGENCE INSIDER THREATS PHYSICAL SECURITY NEWS Ransomware Actors Show Up In Person to Steal Law Firm Data The FBI warned that the extortion gang Silent Ransom Group is targeting law firms and socially engineering its way into servers and databases. Alexander Culafi,Senior News Writer,Dark Reading May 27, 2026 4 Min Read SOURCE: LIUBOMYR VORONA VIA ALAMY STOCK PHOTO The Silent Ransom Group (SRG) is impersonating IT personnel to target law firms via social engineering. In some cases, the threat actors have appeared before the victim in person. The FBI's Internet Crime Complaint Center (IC3) yesterday published a warning that SRG has targeted law firms since spring 2023. The group has been active since 2022, and has victimized other sectors including insurance, finance, and healthcare. SRG — which also goes by Luna Moth, Chatty Spider, and UNC3753 — has targeted law firms in a variety of ways. According to the FBI's advisory, SRG actors pose as IT support through phone calls and phishing emails "to establish access to victim computers and exfiltrate data, usually through legitimate remote access tools or by sending an individual in person to the victim company's location to gain physical access to computers." Cynthia Kaiser, SVP of Halcyon's Ransomware Research Center, tells Dark Reading that Halcyon identified the legal sector as the fourth most targeted industry by ransomware actors in the first months of 2026. "Law firms are an attractive target due to the sensitivity of client data, regulatory pressure to resolve incidents quickly, and a perceived willingness to pay ransoms to protect attorney-client privilege and confidential case materials," she says. Related:Latin American Cybercriminals Hoover Up Government Data SRG is known for conducting data theft extortion attacks, where the threat actor steals data and makes ransom demands akin to a ransomware attack, but bypasses the encryption piece that originally defined ransomware. In these cases, the actor threatens to leak data (usually through a Dark Web leak site or through a sale to another cybercriminal) and uses that to pressure the victim. Originally, attackers sent phishing emails claiming the victim owed a subscription fee of some kind. To cancel the non-existent subscription, the victim would be instructed to call the threat actor who would then send the victim a link to download remote access software. Once the attacker is remotely connected, things like vulnerability exploitation or complex attack chains become unnecessary. LOADING... Silent Ransom Group's Tactics Evolve The FBI notes that attack methods recently expanded. SRG actors pose as an employee from the victim's IT department and call or send an email to the victim; the victim is urged to grant the fake employee access to a remote desktop session. If that fails, "SRG sends a threat actor to the victim's location to gain access to insert a storage device into the victim's computer." Related:Processes & Culture Top Reasons Behind Data Breaches "In this scheme, the threat actor tells the victim they need to image the device or create a backup file to address potential impacts from the phishing email," the FBI said. "Once the threat actor obtains access to the victim's device, they minimally escalate privileges and quickly pivot to data exfiltration without encryption." To do this, the threat actors use Windows Secure Copy (WinSCP) or a hidden or renamed version of Rclone, an open source command-line program that manages and syncs files. Depending on the circumstance, data is exfiltrated to filesharing platforms like Google Drive or Microsoft OneDrive, or a physical disc, like an external hard drive or USB drive inserted by the threat actor into the victim's computer. Kaiser calls the move to in-person threat activity "an incredibly rare and concerning development," as SRG historically used professional, English-speaking call center professionals. Regarding Silent Ransom Group, Kaiser adds that the group has faced no arrests or infrastructure disruptions to date and likely operates from Russia. That would make the move to target law firms in-person a doubly strange endeavor, though the FBI offers no details about where the victim law firms are located. How to Stop Silent Ransom Group Once data is stolen, the attacker sends a ransom email to the victim threatening to sell or post the data to its public-facing website. SRG will also call employees or clients of the victim organization to pressure them for payment. Related:Windows Zero-Day Barrage Continues After Patch Tuesday Indicators of an SRG attack may include new, unauthorized downloads of system management or remote access tools; unauthorized installations of USB drives or external hard drives; a WinSCP or Rclone connection made to an external IP address; or unidentified, unauthorized individuals attempting to access computers and claiming to be IT support. While social engineering attacks aren't new, organizations should take serious note when novel social engineering frameworks come around. Verizon's 2026 Data Breach Investigations Report showed social engineering as the third most popular breach vector, showing attackers continue to find success with methods like SRG's. The FBI recommends organizations verify the identity of all individuals entering company spaces, including getting a copy of their ID card; requiring phishing-resistant multifactor authentication (MFA) for as many services as possible; training employees to identity, resist, and report phishing attempts; and "if possible, disable remote access and external drive installation permissions on company computers with access to sensitive or confidential data." About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. At Dark Reading, he covers a variety of cybersecurity topics, including the cybercrime ecosystem, open source security, and the intersection between AI and threat actors. In his spare time, Alex hosts the weekly Nintendo podcast, "Talk Nintendo Podcast," and works on personal writing projects, including two previously self-published science fiction novels. He has received numerous awards, including TechTarget's Writer of the Year in 2022 as well as more than 10 Azbee awards for his reporting between 2022 and today. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Essential News & Insights from Black Hat USA 2025 How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Access More Research Webinars Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack Defending in the Shadow Era: When the CVE Feed Goes Dark Building SecOps That Make the Most of Every Dollar AI-Powered Cybersecurity for Resource-Constrained Organizations AI-Powered Credential Security: Intelligence Without Exposure More Webinars You May Also Like CYBERATTACKS & DATA BREACHES Critical Fortinet Flaws Under Active Attack by Jai Vijayan, Contributing Writer DEC 17, 2025 CYBERATTACKS & DATA BREACHES CISA Warns of 'Ongoing' Brickstorm Backdoor Attacks by Rob Wright DEC 04, 2025 CYBERATTACKS & DATA BREACHES F5 BIG-IP Environment Breached by Nation-State Actor by Alexander Culafi OCT 15, 2025 CYBERATTACKS & DATA BREACHES Jaguar Land Rover Shows Cyberattacks Mean (Bad) Business by Robert Lemos, Contributing Writer OCT 03, 2025 Editor's Choice CYBERSECURITY OPERATIONS 20 Leaders Who Built the CISO Era: 2 Decades of Change byDark Reading Editorial Team MAY 12, 2026 41 MIN READ APPLICATION SECURITY It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight byJai Vijayan MAY 12, 2026 5 MIN READ CYBERATTACKS & DATA BREACHES Instructure Breach Exposes Schools' Vendor Dependence byAlexander Culafi MAY 6, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE LOADING... Webinars Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack THURS, JUNE 25, 2026, AT 1PM EST Defending in the Shadow Era: When the CVE Feed Goes Dark TUES, JUNE 16, 2026 AT 1PM EST Building SecOps That Make the Most of Every Dollar THURS, JULY 9, 2026 AT 1PM EST AI-Powered Cybersecurity for Resource-Constrained Organizations THURS, JUNE 18, 2026, AT 1PM EST AI-Powered Credential Security: Intelligence Without Exposure WED, JUNE 17, 2026, AT 1PM EST More Webinars BLACK HAT USA | MANDALAY BAY, LAS VEGAS The premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass. GET YOUR PASS Discover More Black Hat Omdia Working With Us About Us Advertise Reprints Join Us NEWSLETTER SIGN-UP Follow Us Copyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copy