The **FBI** is alerting U.S. law firms to a concerning trend: the **Silent Ransom Group (SRG)** is now engaging in in-person data theft attacks. ### Social Engineering and Physical Intrusion According to a flash alert issued Tuesday, "As of Spring 2026, SRG actors use a social engineering scheme to pose as an employee from the victim's IT department. SRG actors either directly call or send phishing emails to urge employees to call the SRG actor posing as IT support." The attackers then attempt to gain remote desktop access. If this fails, the **SRG** sends an operative to the victim's location to physically insert a storage device into the victim's computer. This in-person approach allows the malicious actors to directly connect USB drives or external hard drives, enabling them to exfiltrate data. The **FBI** advises vigilance for indicators such as unauthorized installation of storage devices and the presence of unidentified individuals claiming to be IT support. ### Tactics and Extortion "Through phone calls and phishing emails, SRG actors pose as IT support to establish access to victim computers and exfiltrate data, usually through legitimate remote access tools or by sending an individual in-person to the victim company's location to gain physical access to computers," the **FBI** elaborated. Once data is stolen, **SRG** extorts victims with threats to sell or publish the information on their leak site. They also apply pressure by contacting employees and clients to force ransom negotiations. ### Background on Silent Ransom Group Also known as **Luna Moth**, **Chatty Spider**, and **UNC3753**, this cybercrime group has been active since at least 2022, focusing on legal and financial organizations in the U.S. since early 2023. This group was previously linked to **BazarCall** campaigns, which facilitated initial access for **Conti** and **Ryuk** ransomware attacks. Following the **Conti** shutdown in March 2022, the group rebranded as the **Silent Ransom Group (SRG)**, specializing in data theft and extortion via targeted phishing attacks. ### Previous Warnings This week's alert follows a May 2025 **FBI** private industry notification regarding similar callback phishing and social engineering attacks targeting U.S. law firms. An EclecticIQ report from May 2025 highlighted the group's registration of domains impersonating IT helpdesks for major U.S. law and financial firms, utilizing typosquatting techniques.  ## The Validation Gap: Automated Pentesting Answers One Question. You Need Six. Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold. This guide covers the 6 surfaces you actually need to validate. [Download Now](https://hubs.li/Q048zztN0)