The FBI Just Warned That a Russia Linked Extortion Crew Is Sending Operatives Into US Law Firm Lobbies When Phishing Fails—Silent Ransom Group Walks In Posing as IT, Plugs a USB Drive Into the First Workstation a Receptionist Will Show Them, and Walks Out With Attorney Client Files Antivirus Never Saw

On May 26, 2026, the FBI's Internet Crime Complaint Center published an advisory that reads less like a malware bulletin and more like a heist plan. The Silent Ransom Group, also tracked as Luna Moth and UNC3753, has spent three years convincing US law firms over phone calls and phishing emails that an IT technician needs remote access. When that fails, the group now sends an actual person to the law firm's lobby with a USB drive in their pocket.

Key Takeaways

• The FBI published its Silent Ransom Group advisory on May 26, 2026, warning US law firms specifically that SRG is escalating to in person social engineering when remote attempts fail.
• SRG has already published data from at least 38 firms on its public leak site, and researchers estimate the total compromise count exceeds 100 organizations across legal, insurance, finance, and healthcare.
• The attack chain starts with a phishing email impersonating IT, escalates to a phone call directing the employee to open a remote desktop session, and now ends with an operative physically arriving on site to insert external storage into a workstation.
• The FBI says recent SRG intrusions leave so few artifacts that traditional antivirus is unlikely to flag the activity, because the group uses legitimate Windows administration tools rather than malware.
• SRG has been operating since at least 2022 and is widely linked to Russia speaking criminal infrastructure, including overlap with the broader Conti diaspora.

What Is the Silent Ransom Group?

The Silent Ransom Group is a financially motivated extortion crew that has been active since at least 2022. Researchers at Mandiant track the same activity cluster as UNC3753; Sygnia and other vendors call it Luna Moth, and CrowdStrike has used the label Chatty Spider. Multiple analysts have linked the group's tooling and infrastructure to Russia speaking operators with prior ties to Conti, which dissolved its public ransomware brand in 2022 and scattered into smaller crews.

SRG does not deploy ransomware. It does not encrypt files. It steals data, threatens to publish it, and calls clients of the victim organization to apply pressure. According to Help Net Security's writeup of the FBI advisory, the group operates a leak site where stolen data is published when negotiations fail.

How Does the In Person Attack Actually Work?

The FBI describes a three stage escalation. Stage one is a phishing email impersonating the law firm's IT department. The email asks the employee to call a number for "system maintenance" or to confirm a "ticket." Stage two is a phone call: the SRG operator, on the line, walks the employee through opening a remote desktop session and approving an MFA prompt. If the employee resists or the firm's controls block the remote session, stage three begins.

The FBI's words, quoted from the advisory: "While on the phone, the SRG actor directs the employee to grant access to a remote desktop session. If that attempt fails, SRG sends a threat actor to the victim's location to gain access to insert a storage device into the victim's computer."

In practice, that means a person in plausible vendor or IT contractor attire shows up at the law firm's front desk, says they are there to perform a backup, and asks to be pointed to any workstation. The operative plugs a USB drive in, and the drive runs whatever loader SRG has prepared—usually a combination of legitimate Windows administration utilities (rclone for data exfiltration, AnyDesk or ScreenConnect for persistence) that no antivirus product flags as malicious.

Why Are Law Firms the Primary Target?

Law firms hold a uniquely exploitable combination of data: attorney client privileged communications, merger and acquisition documents, intellectual property litigation files, sealed settlement terms, and confidential client financial records. The threat of any of that material becoming public—or reaching an opposing party in active litigation—creates extortion leverage that is hard to quantify and nearly impossible to neutralize by paying.

SRG has already published data from at least 38 firms on its leak site, and security researchers tracking the actor estimate the true compromise count exceeds 100. Most never appear publicly, because most firms pay quietly to keep their clients' privileged material off the internet.

Law firms are also a soft target by design. They optimize for client trust, not zero trust security. Their staff routinely accept courier deliveries, vendor visits, and walk in meetings. A receptionist who refuses to let "the IT guy from the contractor" into the office is rare. A receptionist who refuses on the suspicion that he might be a Russian linked extortion operative is rarer still.

Why Does the Phishing Email Still Matter If the Attacker Comes in Person?

Because the email is the reconnaissance. The phishing message is what tells SRG who is on the IT team, what helpdesk vendor the firm uses, who picks up the phone first, and which lawyers have decision making authority. The follow up call is what builds the cover story the in person visit will rely on.

SRG's emails are not the obviously malicious "click here to reset your password" lures most users learn to spot. They are carefully forged to imitate the law firm's existing managed service provider, the brand of helpdesk ticketing system in use, and the cadence of the IT team's actual messages. The same dynamic appeared in our coverage of the Charter Communications vishing breach: a single phone call, scaffolded by a believable phishing email, is enough to compromise an enterprise.

The tracking pixels embedded inside those phishing emails are what tell SRG which firm employees opened the message, when, on which device, and from where. That telemetry is how the crew picks which target to phone next, and ultimately which lobby to walk into.

What Should Law Firms (And Everyone Else) Do Now?

The FBI's recommended controls are the standard ones, and most firms have heard them before: enforce phishing resistant MFA, restrict unauthorized remote access tools, train employees to verify IT identity through a callback to a known number, and audit who can plug a USB drive into a domain joined workstation. The advisory also emphasizes blocking unsigned external storage at the endpoint level.

The harder advice is procedural. A firm needs a written rule that no unscheduled IT vendor gets workstation access without two people verifying with a partner, and a corresponding rule that any employee who is asked to approve a remote session by phone hangs up and calls the firm's actual IT lead. The FBI's quote that "traditional antivirus products are unlikely to flag intrusion" because SRG uses legitimate system tools is a polite way of saying that endpoint detection cannot save a firm whose employees have been social engineered into authorizing the attacker themselves.

For individual employees, the email is still the first line of defense. Stopping the reconnaissance phase—the phishing pixel that confirms an employee read the lure, the open tracking signal that maps which lawyers click links, the hidden beacon that times the follow up call—shuts down SRG's targeting before the operative ever picks a lobby to walk into. Gblock blocks the tracking pixels inside marketing and phishing emails so that opening a message doesn't quietly tell an attacker you're a viable target.

What's the Pattern Here?

SRG's escalation from email to phone to physical entry is part of a broader trend in 2026 extortion: the most reliable path to a high value enterprise is no longer a zero day. It is a human being. Whether the human shows up over Microsoft Teams, on a phone call, or in a lobby, the failure mode is the same: an employee who believes a stranger when they say "I'm from IT."

The cheapest defense is also the oldest one: verify the stranger before you do what they ask. The FBI's May 26 advisory exists because dozens of law firms did not.