Summary:
Since late 2025, Silent Ransom Group (SRG) has elevated its data theft and extortion attacks against US-based law firms, sending in-person operators to targeted entities’ physical corporate locations in an attempt to impersonate IT support and obtain internal network access. This tactic effectively exploits the gap between cybersecurity and physical security programs, which are often not integrated and lack coordinated defenses. The actor has previously extorted victims for millions of dollars in ransom payments, including a reported $20 million against a law firm in May 2026.
Background:
Silent Ransom Group (SRG), also tracked as Luna Moth, is a financially motivated Russia-based ransomware gang that emerged in March 2022 following the collapse of the Conti ransomware syndicate. Formed by prior BazarCall operators who previously served as initial access specialists for Ryuk and Conti, the group operates purely as a data theft and extortion operation. The group has primarily targeted U.S. law firms and insurance entities, exploiting the high sensitivity of privileged legal data as extortion leverage.
The ransomware gang operates a professional English-speaking call center and has shown a consistent pattern of tactical evolution across three distinct phases. Silent used callback phishing via fake subscription invoices from 2022 through early 2025, direct vishing campaigns impersonating internal IT personnel beginning March 2025, and most recently, in-person physical intrusion; all leading to data exfiltration and extortion. Silent’s physical intrusion tactic, where operators access victim premises in-person to manually infiltrate storage devices for data exfiltration, was first observed in April 2025 and was reported by the FBI as an active tactic in May 2026. Following initial compromise, Silent is known to escalate privileges, maintain network access, and exfiltrate data using legitimate tooling, such as WinSCP, RClone, AnyDesk, and others.
Analysis:
Silent is actively targeting US law firms in social engineering attacks that ultimately lead to data theft and extortion. The actors are calling potential victims by impersonating legitimate IT services and then physically sending an operator to the site posing as an employee from the IT service. Once Silent gains access to the network, they deploy minimal software for persistence and data exfiltration followed by millions of dollars in extortion demands.
Physical access to company infrastructure as an attack vector pre-dates today’s technical methods of intrusion typically used by financially motivated threat actors. There are three known distinct methods for obtaining physical access in ransomware attacks:
- Threat actors leave physical USB devices in public areas
- Threat actors recruit or bribe company insiders
- Threat actors impersonate IT support
Physical Device Drops:
Removable media devices such as USBs bypass network security defenses allowing a clear path for initial access. Physical media being leveraged as a mechanism to deliver ransomware dates back to the 1989 AIDS trojan, where members of the WHO organization received parcels containing infected floppy disks. This methodology was similarly used by FIN7 in 2020 and 2022, a financially motivated threat actor operating DarkSide and BlackMatter ransomware. The campaigns mailed BadUSB devices to US entities in retail, transportation, defense and insurance industries to download malware followed by ransomware payloads. Silent Ransom Group’s current use of USB devices follows the same principle; however, the operators insert the device directly instead of relying on direct mail.
Recruiting and Bribing Insiders:
Recruiting or coercing current employees with existing physical and network access can be more efficient for ransomware actors than independently conducting intrusions. Lapsus$, a financially motivated group that heavily leverages social engineering, operationalized insider recruitment in 2021. The threat actor publicly advertised bribes for telecom employees to perform SIM swaps to bypass Multi-Factor Authentication (MFA). By investing in existing human-based access, Lapsus$ was able to breach Okta, Microsoft and multiple large businesses with significant impact.
Impersonating IT Support:
Impersonating IT support personnel grants threat actors a socially engineered pathway into a target organization, exploiting employee trust rather than technical vulnerabilities. DarkVishnya, a financially motivated group, targeted Eastern European financial institutions in 2017 and 2018 by physically entering corporate premises posing as contractors. The threat actors planted hardware devices onto the corporate networks and caused millions of dollars in losses. In 2023, Scattered Spider leveraged the effectiveness of remote IT impersonation by conducting vishing against targets which caused over $100 million in combined losses across the entertainment and retail industries. Silent Ransom Group has consolidated these approaches into a single attack chain where they first remotely impersonate IT services and, if unsuccessful, deploy a physical operator to the corporate office to complete the intrusion in person.
Motivation:
Silent has consistently operated along the path of least resistance since it began its callback tactics in 2022. They leverage social engineering as an initial access method and legitimate remote tools for persistent access and data exfiltration. Silent has historically prioritized targeting law firms and insurance entities, which have consistently paid out significant ransom payments, including $20 million in May 2026. Silent will likely continue to target these industries due to the sensitivity of their data and success in their previous extortions.
This regression to physical access intrusion is not a replacement for the tactics Silent has relied on since 2023. Physical access has become a necessary addition to the ransomware actor’s playbook to ensure they obtain sufficient impact to warrant their high ransom demands. Other ransomware groups may adopt this methodology based on willingness to take on risk and demonstrated success by Silent.
Mitigations:
- Disable USB and external storage ports on all workstations by default including read and write capabilities for all external USB storage devices. Require IT authorization and documented justification before any removable media device can be connected to company hardware [M1034, M1035, M1018]
- Implement a visitor management and escort policy requiring front-desk staff to log all visitor IDs and verify technicians against a pre-scheduled work order. Ensure all contracted technicians are escorted by verified corporate employees [T1052.001, T1598.004]
- Restrict RMM tool installation permissions to authorized IT personnel only, preventing employees from downloading or executing remote access software such as AnyDesk, Atera, or Splashtop in response to unsolicited requests [M1038, M1022]
- Audit physical access logs regularly for unscheduled or unverified visitors, particularly individuals claiming IT support roles, and cross-reference against open work orders [T1052.001]
- Conduct employee awareness training to recognize IT impersonation red flags , including unsolicited calls creating urgency around remote access, requests to install software or connect external devices, and unscheduled in-person visits from unfamiliar IT personnel [M1017]
References:
Source Summary: This Alert is based on Halcyon analysis, dark web investigations, and ongoing research. Findings reflect the current understanding of the campaign and may be updated as new evidence emerges.
The Halcyon Ransomware Research Center unites experts, drives smart policies, and delivers actionable intelligence to detect, disrupt, and defeat ransomware. Explore the Center’s latest reports, analysis, and resources here.
