On May 27, 2026, the FBI issued a Flash alert warning that the Silent Ransom Group — a Russia-linked data-extortion crew also known as Luna Moth — is now showing up in person at U.S. law firms while posing as IT staff, after first trying to trick employees over the phone. The group skips encryption entirely, quietly copies sensitive client files to a USB drive, and then extorts the firm with threats to publish the data. For any small York County business with a front desk and a help-desk phone line — not just law firms — the playbook is a wake-up call about how attackers are bypassing antivirus by exploiting people.
What the FBI actually said
The FBI warned on Tuesday that the Silent Ransom Group (SRG) extortion gang is now targeting U.S.-based law firms in in-person data theft attacks. As of Spring 2026, SRG actors pose as an employee from the victim's IT department, either directly calling or sending phishing emails to urge employees to call the SRG actor posing as IT support. While on the phone, the SRG actor directs the employee to grant access to a remote desktop session. If that attempt fails, SRG sends a threat actor to the victim's location to insert a storage device into the victim's computer.
This is the FBI's second public warning about this group in 12 months, and the first at the higher "FLASH" severity for this actor. The gang has already had data from more than 38 firms published on its public leak site, and researchers say the total attack count exceeds 100 — with activity surging sharply in early 2026.
The group has several aliases you may see in other coverage: Silent Ransom Group (SRG), also known as Luna Moth, Chatty Spider, and UNC3753 .
Why this attack is so hard to spot
Most security tools are built to catch malware. SRG doesn't use any. What makes SRG's approach particularly difficult to defend against is what it does not do. The group deploys no ransomware, no encryption, no malware payloads. Desktops do not lock. There are no splash screens demanding payment. IT systems continue to function normally. The attack can be entirely invisible until a ransom email arrives threatening to post stolen data on SRG's publicly accessible clearnet leak site unless a payment is made.
The FBI itself flagged the detection problem in plain terms: Recent SRG campaigns left few artifacts on compromised machines. Traditional antivirus products are also unlikely to flag the intrusion because SRG generally uses legitimate system management or remote access tools to carry out the attack.
Translation: if your only defenses are antivirus and a firewall, you will not see this coming.
The attack chain, in plain English
1. A phishing email or cold call arrives. One such campaign involved phishing emails notifying the recipient about a subscription for a service that was about to incur a charge. The recipient was told that in order to prevent that charge, they must call the telephone number provided in the email. The call would be answered, and the user would be tricked into downloading remote access software, which was used to gain persistent access to the user's systems.
2. If the remote trick fails, they send a person. The pretext used whether the operative is on the phone or physically present is consistent: they tell the victim they need to "image the device or create a backup file." When the remote gambit fails — when an employee is suspicious, hangs up, or simply does not cooperate — SRG does not move on. It sends a person.
3. Once data is stolen, the pressure starts. The group reinforces extortion pressure after exfiltration by calling employees and clients of victim organizations directly — a harassment escalation designed to trigger urgency and reputational panic before any ransom negotiation begins.
What your IT provider should already be doing about this
The FBI's alert lists specific warning signs your team and your MSP should be watching for. The FBI's FLASH alert identifies specific indicators law firms should treat as high-priority warnings: Unauthorized USB drives or external hard drives connected to company computers; unidentified individuals on premises claiming to be IT support; unexpected remote desktop session requests from someone claiming to be an internal helpdesk; and phishing emails referencing subscription charges with instructions to call a support number.
A competent managed-IT provider should already be doing the following on your behalf: blocking or alerting on unauthorized USB mass-storage devices via endpoint policy, monitoring for unusual installs of remote-access tools (AnyDesk, ScreenConnect, Atera, Splashtop, Quick Assist), enforcing phishing-resistant MFA on email and remote access, locking down which staff can approve remote sessions, and running tabletop exercises so receptionists and office managers know how to verify an "IT visitor" before letting them touch a keyboard. If your provider can't tell you which of those are in place today, that's a gap. York Computer's managed IT services are built around exactly this kind of layered, behavior-aware defense — not just antivirus and a router.
One more practical control: a verified callback policy. No one from "IT" — internal or outsourced — should ever be granted a remote session from a cold phone call. Hang up, look up the real help-desk number from a known source, and call back. That single habit defeats the entire opening move of this attack.
It's not just law firms
The FBI singled out the legal sector, but SRG hits other industries too. Silent Ransom Group, a data theft and extortion group that targets law firms, healthcare organizations, and insurance and finance companies, is conducting a social engineering campaign posing as IT support workers. Any small business that holds sensitive client data — medical practices, accounting firms, insurance agencies, financial advisors — fits the profile. The defenses are the same regardless of vertical.
What York Businesses Should Do
York County has dozens of small and mid-size law practices, medical offices, and accounting firms within a short drive of Continental Square — exactly the profile SRG targets. This week is a good time to brief your front-desk staff on the "verify before you let anyone touch a keyboard" rule and to confirm with your IT provider that USB device control and remote-access monitoring are actually turned on.
Sources
- FBI Flash Alert: Silent Ransom Group Impersonating IT Personnel (IC3, May 26, 2026)
- FBI warns of in-person data theft attacks from extortion gang (BleepingComputer)
- Silent Ransom Group Sends Operatives Into Law Firm Offices: 38 Firms Already Leaked (TechTimes)
- FBI warns US-based law firms to be on the lookout for cybercrime group that steals data in person (CyberScoop)
- Hackers are knocking on office doors pretending to be IT staff (Help Net Security)
- Extortion Group Conducts Social Engineering Campaign Impersonating Victim's IT Department (HIPAA Journal)