The Silent Ransom Group — a Russia-linked extortion gang that has targeted U.S. law firms since 2023 — has escalated to physically walking operatives into law firm offices under the guise of IT support, the FBI warned in a new FLASH alert issued Tuesday, May 26, 2026. The gang has already had data from more than 38 firms published on its public leak site, and researchers say the total attack count exceeds 100 — with activity surging sharply in early 2026.
The threat is not theoretical. In January 2026, Orrick, Herrington & Sutcliffe — a firm with more than 25 global offices and over $1.5 billion in annual revenue — had its data posted publicly after declining the group’s ransom demand. Jones Day and Wood Smith Henning & Berman each faced similar exposures in the first quarter of this year. As recently as May 6, SRG claimed responsibility for a breach at Ropers Majeski.
The new FLASH alert — the FBI’s second warning about SRG in 12 months, and its first at FLASH severity on this actor — identifies the in-person physical intrusion tactic as a Spring 2026 development, active now.
How Silent Ransom Group Gets Through the Front Door
The attack chain begins with a phone call or phishing email. SRG operatives contact a firm’s employees while impersonating the firm’s own IT department, then direct those employees to open a remote desktop session — framing the request as urgent maintenance, a security scan, or follow-up from a phishing alert. The pretext used whether the operative is on the phone or physically present is consistent: they tell the victim they need to “image the device or create a backup file.”
When the remote gambit fails — when an employee is suspicious, hangs up, or simply does not cooperate — SRG does not move on. It sends a person.
“If that attempt fails, SRG sends a threat actor to the victim’s location to gain access to insert a storage device into the victim’s computer,” the FBI stated directly in the alert.
The operative walks in, claims to be IT support, gains access to a workstation, and connects a USB drive or external hard drive. Data exfiltration follows immediately, using WinSCP or a disguised version of Rclone — both legitimate file-transfer utilities that most antivirus tools will not flag as malicious. The FBI notes that SRG typically escalates privileges minimally; the goal is speed, not depth: get in, get data, get out.
Why Silent Ransom Group Targets Law Firms
SRG’s focus on legal practices is strategic. “The theft of data in and of itself is the biggest issue for the law firms,” said Cynthia Kaiser, senior vice president at Halcyon’s Ransomware Research Center, in an interview with CyberScoop. “They’re tailoring a lot of their operations around what they know about the sector.”
Law firms hold a uniquely exploitable combination of data: attorney-client privileged communications, merger and acquisition documentation, intellectual property litigation records, and confidential client financial information. The threat of that material becoming public — or reaching an adversary in ongoing litigation — creates extortion leverage that is difficult to quantify and nearly impossible to fully neutralize by paying.
Allan Liska, field chief information security officer at Recorded Future, told CyberScoop that SRG has recognized something other ransomware groups have not: the investment in physical intrusion pays off specifically at law firms. “Silent Ransom Group has seen the value especially in going after law firms, and so they’re willing to put the extra effort into it,” Liska said. He added that gig workers — possibly unaware they are participating in a crime — may be the operatives SRG deploys for the physical office visits.
Halcyon tracked 134 ransomware incidents against law firms and legal services organizations in the first quarter of 2026 alone — making legal the fourth-most targeted industry, accounting for more than 6% of all ransomware attacks Halcyon tracked in the period. SRG and the separate INC ransomware-as-a-service operation are credited as the primary drivers of that surge.
No Ransomware, No Malware, No Visible Footprint
What makes SRG’s approach particularly difficult to defend against is what it does not do. The group deploys no ransomware, no encryption, no malware payloads. Desktops do not lock. There are no splash screens demanding payment. IT systems continue to function normally. The attack can be entirely invisible until a ransom email arrives threatening to post stolen data on SRG’s publicly accessible clearnet leak site unless a payment is made.
“Recent SRG campaigns left few artifacts on compromised machines,” the FBI stated in the alert, noting that traditional antivirus products are unlikely to flag the intrusion because SRG relies on legitimate system management tools throughout.
The group reinforces extortion pressure after exfiltration by calling employees and clients of victim organizations directly — a harassment escalation designed to trigger urgency and reputational panic before any ransom negotiation begins.
What FBI Red Flags Look Like in Practice
The FBI’s FLASH alert identifies specific indicators law firms should treat as high-priority warnings:
Unauthorized USB drives or external hard drives connected to company computers; unidentified individuals on premises claiming to be IT support; unexpected remote desktop session requests from someone claiming to be an internal helpdesk; and phishing emails referencing subscription charges with instructions to call a support number.
The FBI’s recommended mitigations include verifying the photo ID of any individual requesting physical access to company spaces; developing explicit firm-wide policies specifying exactly how and when IT support will identify itself to employees; disabling external drive installation permissions on computers holding sensitive data; blocking port 22 where possible; requiring phishing-resistant multi-factor authentication across all services; maintaining regular offline backups; and reporting incidents to the FBI’s Internet Crime Complaint Center at IC3.gov.
How Silent Ransom Group Demands Ransom After Data Theft
After exfiltration, SRG sends a ransom email threatening to sell the stolen files or post them to its leak site. Demands reported by security researchers range from $1 million to $8 million depending on firm size. In the Wood Smith Henning & Berman case, SRG demanded $1.8 million for 3.6 gigabytes of data — and posted the files publicly after the firm countered at $15,000. SRG has told researchers that most of the law firms it attacks do pay, which implies the true total attack count substantially exceeds the 38 already published on its leak site.
The group emerged in March 2022 from the collapse of the Conti ransomware syndicate, inheriting its experienced operators while abandoning encryption-based ransomware entirely in favor of pure data extortion. Its Russia-linked origins mean no arrests have been made, and researchers do not anticipate near-term law enforcement disruption to its operations.
Frequently Asked Questions
What is the Silent Ransom Group?
Silent Ransom Group (SRG) is a Russia-linked data extortion gang that has targeted U.S. law firms since Spring 2023. Also known as Luna Moth, Chatty Spider, and UNC3753, the group steals sensitive data and threatens to publish or sell it unless a ransom is paid — without using ransomware or encryption of any kind. It emerged from the Conti cybercrime syndicate’s collapse in March 2022.
How does Silent Ransom Group steal data from law firms?
SRG uses a combination of phone calls, phishing emails, and — when remote approaches fail — in-person visits by operatives posing as IT support staff. Once inside a firm’s network or at a physical workstation, operatives use legitimate tools such as WinSCP and Rclone to exfiltrate data to external drives or cloud storage, leaving minimal forensic artifacts behind.
How can law firms protect against Silent Ransom Group attacks?
The FBI recommends verifying the photo ID of any individual requesting physical access to company spaces, developing explicit policies on how IT support authenticates itself to staff, disabling external drive installation on sensitive computers, requiring phishing-resistant multi-factor authentication, blocking port 22, and training employees to recognize and report social engineering calls. Incidents should be reported to the FBI’s Internet Crime Complaint Center at IC3.gov.
What happens if a law firm refuses to pay Silent Ransom Group’s ransom demand?
SRG publishes stolen data on its publicly accessible clearnet leak site, business-data-leaks[.]com. More than 38 U.S. law firms have had data posted there after declining to pay. The group has told researchers that most firms it attacks do pay, suggesting the true number of victims is substantially higher than the published count.
Click Here For The Original Source.
