Google and the FBI warn that Silent Ransom Group has escalated attacks on law firms by sometimes sending fake IT workers to victims’ offices, where the imposters steal data from employees’ computers using USB drives or help other attackers connect remotely. Th
For some law firms, the breach didn’t start with a suspicious email. It began with a person in the office—someone who looked like IT support, walked in, and used proximity to get to the most valuable thing: the computer on the desk.
Google and the FBI say the ransomware group Silent Ransom Group has. in some cases. moved beyond remote phishing and malware. Their warning is blunt: the gang has attempted to steal information through “physical. in-person access. ” including scenarios where imposters connect directly to victims’ devices during a visit. In others, the fake IT workers are said to help other members of the group connect remotely.
Google’s cybersecurity teams—Mandiant and the Google Threat Intelligence Group—published a report accusing Silent Ransom Group of trying to steal victims’ information using this kind of in-person access. The activity they point to ran from January through May of this year and targeted “dozens” of victims.
The warning is tied to a tactic that Mandiant chief technology officer Charles Carmakal says the company has seen before in other incidents: he told TechCrunch that Mandiant has investigated cases where adversaries planted insiders. bribed employees. or physically entered buildings to facilitate cyberattacks.
Last month. the FBI issued an alert focused on Silent Ransom Group targeting law firms with social engineering and phishing attacks that pretended to be IT support. The new escalation is the piece that makes the threat feel closer to the front door. In some cases described by the FBI. the group sent fake IT support personnel to victims’ offices and connected to employees’ computers. From there, they used USB drives or remote access tools to steal data.
That stolen material can include contracts, personal information such as Social Security numbers, and financial and tax records. The FBI spokesperson also confirmed to TechCrunch that there have been multiple instances where people impersonating IT support gained or attempted to gain physical in-person access to victim companies’ offices and/or devices as part of Silent Ransom Group’s scheme to exfiltrate data.
The gang’s pressure tactics fit a familiar pattern, even if the delivery method has shifted. Silent Ransom Group uses a leak site and threatens victims with the publication of stolen data. then publishes it if the victim doesn’t pay. This approach does not involve encrypting data the way traditional ransomware attacks do.
The pressure sometimes comes in direct emails to victims. One message quoted by Google reads: “In case of ignorance or no agreement, We will notify your employees, partners and customers, after which We will publish your data.”
Google’s report also says the attackers rely on more traditional techniques. including phishing emails. follow-up phone calls. and social engineering. The cybercriminals pretend to be the company’s IT support to trick victims into granting access to their computers. In those campaigns. Google describes callers using verbal instructions to build trust—sometimes by claiming they are addressing a security issue or helping with a corporate data migration project—and steering the target into joining a screen-sharing session.
Once the screen-sharing starts, the attackers aim to bypass safeguards by getting victims to download and open screen-sharing applications. They can also use screen-sharing features in tools such as Zoom or Microsoft Teams.
Even with remote tactics still central to the group’s work. these cases show the gap between “someone got tricked” and “someone got into the office” is narrowing. Silent Ransom Group’s methods. as described by Google and the FBI. blend familiar social engineering with physical intrusion—turning a cyberattack into something that can play out in real time. under the same roof as the people it targets.
Silent Ransom Group Google FBI Mandiant ransomware law firms fake IT workers USB drives screen sharing Zoom Microsoft Teams social engineering phishing extortion leak site
So basically they just walk in now??
I swear law firms always get hit because they think they’re special. Like, “it wasn’t phishing” and then it’s still somehow somebody with a USB doing chaos.
USB drives again… that’s like from the 90s lol. But if a “fake IT person” can just grab info off someone’s desk that fast, then your building security is basically nothing. Also isn’t it illegal to be in a suit that looks official? Just curious.
This is why I don’t trust office visitors. I read it as they’re stealing data from employees computers by plugging in stuff, which like… yeah, but then it also says they help other attackers connect remotely, so it’s double trouble. My cousin works at a firm and they “have IT come by sometimes,” and now I’m like wait, how do they even know who is real? Kinda scary that it didn’t start with an email, because everyone always focuses on spam messages.