FBI FLASH: Silent Ransom Group Now Sends Operatives Into US Law Firms With USB Drives

The in-person, posing-as-IT escalation is the genuinely novel TTP — every endpoint and network control predicated on the attacker being remote stops working the moment the attacker walks through the front door of the firm.

WASHINGTON, D.C. — On May 26, 2026, the FBI issued a FLASH alert warning that Silent Ransom Group (SRG) — the financially motivated data-theft-and-extortion crew also tracked as Luna Moth, Chatty Spider, and UNC3753 — is now sending operatives in person to US law firms, posing as IT support employees and inserting USB drives into firm computers to steal sensitive client data. SRG has consistently targeted US law firms since Spring 2023, but the in-person USB-delivery variant is a new escalation of an attack chain that until now ran entirely over the phone and a remote-access tool. The leverage is the same as before: the threat of disclosing or selling stolen client material if the firm refuses to pay.

Crucially, SRG is not a traditional ransomware operator. There is no encryption step in this attack chain. The FBI's FLASH alert and the technical reporting around it describe data theft and extortion — the file system is intact, the firm can keep working, and the threat is reputational, regulatory, and to client trust rather than operational.

What Happened

The FBI's May 26, 2026 FLASH alert describes a sustained Silent Ransom Group campaign against US law firms that has now branched into a new physical-presence variant. In the established remote variant, SRG actors call an employee — or send a phishing email designed to prompt a callback — claiming to be from internal IT support, and direct the employee to grant access to a remote desktop session using one of a short list of commercial remote-access tools: Zoho Assist, AnyDesk, RustDesk, Splashtop, or Atera. Once the operator is inside, they identify and exfiltrate sensitive client data to cloud storage they control, then extort the firm with the threat of disclosure or sale.

The in-person variant the FBI is now warning about inverts the assumption that an extortion attack is a remote event. After the initial vishing call to an employee, an SRG actor is dispatched physically to the firm's office, posing as an IT support employee. The actor talks their way to a workstation, inserts a storage device — a USB drive or external hard drive — and steals sensitive data directly to the device. The objective is unchanged: exfiltrate client material and demand a ransom under threat of disclosure. The FBI's alert lists specific warning signs to hunt for: unauthorized downloads or installations of Zoho Assist, AnyDesk, RustDesk, Splashtop, or Atera; anomalous cloud-storage data transfers; external hard drive installations on workstations; and unsolicited inbound calls from people claiming to be in IT support. Prior SRG victims include Orrick, Herrington & Sutcliffe.

Silent Ransom Group, Luna Moth, Chatty Spider, UNC3753 — One Crew, Four Names

Silent Ransom Group goes by four names in public reporting, and getting the aliases right matters because defenders consume threat intelligence indexed under each one. The same crew is tracked as SRG (in the FBI's FLASH alert), as Luna Moth (in most vendor reporting and the name most law-firm CISOs will recognize), as Chatty Spider (in CrowdStrike's adversary taxonomy), and as UNC3753 (in Mandiant's). The group is widely reported as descending from or related to the Conti and Karakurt extortion ecosystem — the same operator family The CyberSignal covered when the first US Karakurt sentencing landed earlier this month. SRG's lineage matters less than its current method, but the connection is the reason the group's vishing-and-extortion craft is unusually polished. SRG has consistently targeted US law firms since Spring 2023; the in-person USB variant is a new escalation of a playbook the operator has been refining for two years.

Why Law Firms — and Why the In-Person Step Matters

The choice of US law firms as a sector is strategic, not opportunistic. Law firms hold privileged client data — litigation work product, deal documents, sealed exhibits, personal information about clients and counterparties — that has high extortion leverage precisely because disclosure carries professional-responsibility and regulatory consequences a typical commercial victim does not face. The disclosure question for a law firm is uniquely fraught: attorney-client privilege, bar-reporting obligations, and contractual confidentiality undertakings with clients can all be implicated by the same leak. The in-person USB step adds a second axis of difficulty: it defeats network-egress controls, endpoint-DLP tools, and any detection that assumes the attacker is reaching the workstation over a wire. A USB drive in a workstation's front port leaves the building in someone's pocket. For a sector that, on average, runs leaner physical-security operations than a corporate enterprise of equivalent revenue, that is a meaningful gap.

The In-Person Variant Is the Vishing Playbook Walking Through the Door

The remote-vishing variant of the SRG attack chain is itself part of a 2026 pattern The CyberSignal has tracked closely. Attackers calling employees while posing as IT support is the same human-layer manipulation underneath the Kali365 phishing-as-a-service operation the FBI named in March, which combined device-code phishing with IT-impersonation calls to harvest Microsoft 365 tokens, and the same family of tradecraft as the Tycoon2FA OAuth device-code variant that uses Microsoft's own login page against M365 tenants. What SRG has done is extend that playbook physically. The call that until now ended with a remote-desktop session now ends with a person showing up at the firm's reception desk wearing the right kind of lanyard. Reception staff trained to recognize a phishing email and SOC analysts trained to spot a suspicious remote-access tool are not the people who decide whether to walk an apparent IT vendor to a partner's workstation; reception, office services, and facilities staff are. That is a different defensive perimeter than most law firms have ever consciously hardened.

Scope and Impact

The most important framing for this story is what is not happening. SRG is not encrypting law-firm file servers. There is no ransom note on the desktop, no extension change on the documents, no decryptor for sale. The attack chain ends with stolen data sitting on the attacker's infrastructure and an extortion demand backed by the threat of leaking or selling client material. That is materially different from the ransomware victim experience most general counsel and CISOs have in their incident-response playbooks, and the difference shapes the response. The recovery question becomes a disclosure-and-notification question; the business-continuity question is largely moot. The same data-theft-only framing is what The CyberSignal flagged in the recent Radiology Associates, Docketwise, and Oncology Institute breach round-up — when the attacker takes only data, the defender's playbook has to change with them.

Several specifics in the FBI's FLASH alert remain unconfirmed publicly. The alert does not enumerate which specific law firms have been hit by the in-person variant, what geographic concentration within the US the campaign has, how SRG selects which firm staff to impersonate and which office to physically visit, or whether the group has tried the in-person variant outside the legal sector. The relative success rate of the in-person versus the remote vishing variant has not been disclosed, and no in-person SRG operative has been publicly identified or arrested. What the alert does establish is that the FBI has seen this technique used often enough — and consequentially enough — to issue a FLASH alert naming the sector and the indicators.

SRG also sits in a broader 2026 enforcement and intelligence picture that is sharper than the threat actor's typical operating environment. The first US Karakurt sentencing earlier this month produced an 8.5-year federal prison sentence for a Conti-ecosystem ransom negotiator and explicitly named the Conti-led organizational umbrella SRG is widely reported as part of. Days earlier, Europol coordinated the first major takedown of a privacy-VPN provider used for cybercrime anonymity, removing infrastructure that extortion crews like SRG have historically relied on. The crew is operating in a tighter enforcement environment than it was in Spring 2023, and the move to in-person delivery may be partly a response to that pressure — fewer remote callbacks, fewer logged sessions, fewer artifacts for a US task force to subpoena. Walking in with a USB drive leaves a different evidentiary trail than a remote-desktop session terminated through a privacy VPN.

Response and Attribution

For US law firms, the most useful immediate action is operational, not technical. Brief reception, office services, IT, and legal-support staff this week that unannounced 'IT support' visitors are now a documented attack vector — and write the rule that no IT vendor or internal IT employee accesses a workstation without a pre-confirmed ticket and verified identity. The verification needs to flow the right direction: when a visitor presents, reception calls the named internal IT contact using a known internal extension, not a number the visitor provides. Mandate visitor escort and ID verification for any third party touching a workstation. Disable or alert on USB mass-storage device insertion on workstations where it is not operationally required, and enforce removable-media restrictions through endpoint policy rather than honor-system signage. At the network and endpoint layer, detect and block the named remote-access tools — Zoho Assist, AnyDesk, RustDesk, Splashtop, Atera — wherever they are not legitimately deployed.

For SOC and threat-hunting teams supporting legal-sector clients, hunt for the FBI's named warning signs across the environment: unauthorized installations of the five remote-access tools, anomalous cloud-storage data transfers, external-media device installations, and unsolicited 'IT support' inbound call attempts captured at the helpdesk or in voicemail. Add the in-person-USB vector to the firm's incident-response playbook explicitly. Entry vector is a physical artifact, which means the investigation surface includes physical-access logs, lobby and floor camera footage, visitor sign-in records, and badge-reader logs alongside the usual endpoint, network, and identity telemetry. Correlate 'IT support' call attempts with on-site visitor activity in the same time window — that pairing is the SRG signature the FBI is, in effect, telling defenders to watch for.

For privacy, compliance, and legal teams inside law firms, client-data exposure carries heightened professional-responsibility implications that other sectors do not face, and the response plan needs to reflect them. Build an SRG-specific tabletop into the firm's IR plan that walks through a real disclosure decision: which clients have to be told, on what timeline, with what level of detail, and how the firm's own privilege and confidentiality obligations interact with mandatory breach-notification laws. Coordinate with the firm's malpractice and cyber insurers on the in-person variant specifically — cyber-policy language may distinguish between digital and physical intrusion in ways that affect coverage, and that distinction is worth resolving before an incident, not after. Treat the FBI's warning as the basis for proactive client communication where appropriate: clients whose matters are highest-leverage for extortion benefit from knowing the firm has read the alert and changed its visitor-access procedures.

The CyberSignal Analysis

Signal 01 — Physical Access Is Now an Active Extortion Vector, Not a Theoretical One

Most coverage of this FBI alert will frame the in-person USB step as a striking detail in an otherwise familiar extortion story. The CyberSignal's read is that the in-person step is the story. For most of the last decade, physical access has been treated as a defeat condition for security architectures but a low-probability one — the threat-modeling assumption being that a financially motivated extortion crew would rather call than fly. The FBI is now telling defenders that assumption is wrong for at least one named, active operator targeting at least one named, attractive sector. The implication generalizes beyond US law firms. Any organization that holds high-leverage data, runs visibly soft physical-security operations, and presents a manageable on-site attack surface — boutique consultancies, mid-market healthcare, specialty financial services — should re-read its own assumptions about who is on the other side of the reception desk.

Signal 02 — 'Data Theft and Extortion' Is Not 'Ransomware,' and the Distinction Matters

Calling SRG a 'ransomware group' — which a lot of coverage will, because that is the available shorthand — is wrong in a way that materially affects the defender response. There is no encryption step in this attack chain. The file system is intact, business continuity is not at risk, and there is no decryptor to negotiate over. The leverage is entirely reputational, regulatory, and tied to client trust. That changes the calculus on whether and how to engage the attacker, what the firm tells clients and when, and what the firm's insurance covers. It also changes how the security team measures the impact: the relevant metric is data-stolen, not systems-down. CISOs and general counsel who default to the ransomware playbook will get the response wrong. SRG is an extortion crew, full stop, and the disclosure pathway is the incident.

Signal 03 — The Defensive Perimeter Just Moved to Reception

The single most concrete operational implication of the FBI's FLASH alert is that the people best positioned to stop an SRG in-person attempt are the firm's reception, office services, and facilities staff, not the firm's SOC. That is an unusual sentence to write, and it is the sentence law-firm CISOs should be repeating to their managing partners this week. The defensive intervention is a visitor-verification protocol, a USB-port policy, and an escort requirement — none of which are technology problems and all of which require operational buy-in from people who do not typically attend security briefings. The 2026 pattern The CyberSignal keeps surfacing in attacks like Kali365 and Tycoon2FA is that the human layer is the soft surface; SRG's escalation is the logical next step from telephone vishing to a person in the building. The firms that will be hardest to hit twelve months from now are the ones that, in the next two weeks, treat 'how does an IT visitor get to a workstation here' as a serious security question.

Sources