Overview
- The FBI issued a flash alert Tuesday saying Silent Ransom Group (SRG) has updated its campaign against U.S. law firms to include people who show up at offices posing as IT staff and plug in USBs or external drives when remote access fails.
- SRG first uses callback phishing and phone-based impersonation to get victims to grant remote desktop access, and when that fails it sends an individual to the workplace to claim a backup or image is needed before inserting a storage device.
- After gaining access the actors escalate privileges and copy files using legitimate tools such as WinSCP or Rclone or by moving data to Google Drive or OneDrive, then extort firms by threatening to publish or sell sensitive client and case files.
- Researchers say SRG has operated since at least 2022 and has focused on law firms since 2023, with activity surging recently; analysts suspect Russia-based operators hire local gig workers for calls and in-person tasks which complicates attribution.
- The FBI recommends verifying any person claiming to be internal IT, disabling external-drive installation, restricting remote-admin tools, using phishing-resistant multi-factor authentication, blocking exploited ports, and training staff to spot callback phishing.