Silent Ransom Group sends fake IT workers to steal law firm data
Silent Ransom Group is sending fake IT staff into law firm offices, then walking out with data on USB drives. The FBI said the pressure can turn into extortion in hours.

Cybercrime is moving offline, and Silent Ransom Group has turned that shift into a playbook for law firms. Instead of relying only on phishing or file-encrypting malware, the gang has been sending people posing as IT support into offices, where they exploit front-desk routines, employee trust and weak visitor verification to steal data by hand.
The FBI said in a May 26 alert that Silent Ransom Group, also known as Luna Moth, Chatty Spider and UNC3753, has been active since at least 2022 and has consistently targeted U.S.-based law firms since spring 2023. The group does not behave like a traditional ransomware crew that locks up files and demands payment for a decryptor. It steals information first, then uses the threat of public release or sale to pressure victims into paying.
The bureau said the campaign often starts with IT-themed phone calls and phishing emails designed to win remote desktop access. If that fails, the group escalates by sending someone in person to the victim’s location, where the impostor inserts a storage device or USB drive and pulls data directly from the endpoint. The FBI said the group has used WinSCP and a hidden or renamed version of Rclone to move stolen files, and has also uploaded data to Google Drive or Microsoft OneDrive.
Google Threat Intelligence Group said Mandiant tracked a financially motivated campaign from January through May 2026 that targeted dozens of organizations across professional, legal and financial services in the United States. In some cases, Google said, the full intrusion-to-extortion chain unfolded within a single business day, and data theft sometimes began in under an hour. The campaign commonly started with harmless-looking invoice emails sent from actor-controlled consumer accounts, then moved to voice-phishing pretexts tied to data migration or billing.

The most alarming change is the physical one. Google said some of the incidents involved individuals posing as IT technicians entering corporate offices to try to exfiltrate data from endpoints using USB media. That tactic makes email filters and endpoint controls only part of the defense; the failure points now include reception desks, badge checks, visitor escorts and the decision-making that allows an unknown “technician” to be left alone with a machine.
Law firms and other exposed organizations need tighter identity verification, enforced call-back procedures for any unsolicited IT request, locked-down USB access, restricted remote desktop permissions and a rule that no outside technician gets unsupervised access without independent confirmation. Silent Ransom Group has shown that the quickest path into sensitive systems may be through a lobby, not a login screen.
This article was produced by Prism’s automated news system from verified source data, official records, and press releases, then run through automated quality and moderation checks before publishing. The system is built and supervised by the people who set the standards it runs under. Read our full AI policy.
Did this article answer your question?


