The FBI issued a FLASH alert on 26 May 2026 documenting a tactic that most security programmes are not built to stop. The Silent Ransom Group has been sending people into victim premises.
When phishing fails and the vishing gambit does not land, SRG operatives have shown up at law firm offices in person, presented themselves as IT support, and attempted to gain physical access to workstations. The FLASH document is TLP:CLEAR. The campaign is ongoing.
How the attack chain works
The standard SRG approach begins with a phone call or a phishing email. An operative impersonates the firm’s own IT helpdesk — the pretext is usually urgent: a security alert, a subscription charge that needs resolving, urgent maintenance. The goal is to persuade an employee to open a remote desktop session, at which point SRG can exfiltrate data directly.
When that fails, SRG does not move on. It escalates.
A person is dispatched to the firm’s offices. They claim to be IT support, often referencing a specific managed services provider or internal team by name. If they get access to a workstation, they insert a USB storage device and take the data physically. If challenged and turned away, the approach may be attempted again.
What makes this operationally significant is what SRG does not do. The group deploys no malware. No ransomware. No payload of any kind. Endpoint detection tools have nothing to flag. SIEM alerts do not fire. Access logs show a workstation user session, nothing anomalous. The compromise is completely invisible until a ransom email arrives, accompanied by a threat to post stolen data on SRG’s clearnet leak site unless payment is received.
The scale
The gap between confirmed and actual victims is wide. The FBI confirmed more than 38 firms with data published on SRG’s leak site. Halcyon tracked 134 ransomware incidents against legal services organisations in Q1 2026 alone, making legal the fourth most targeted sector — more than 6% of all ransomware attacks by volume. The total estimated victim count exceeds 100.
Recent confirmed victims: Orrick, Herrington and Sutcliffe (data posted publicly after the firm declined to pay, January 2026), Jones Day, Wood Smith Henning and Berman, and Ropers Majeski, where SRG claimed a breach as recently as 6 May 2026.
The legal sector is a persistent SRG target because it makes sense. Law firms hold litigation strategy, M&A deal terms, client financial data, personal information about individuals in proceedings. That data is disproportionately valuable for extortion. The security posture at many smaller and mid-sized practices does not match the sensitivity of what they hold.
Why existing controls miss it
No EDR signature catches a USB connection made by a person who walked in through the front door. USB device connection events exist in Windows event logs, but in most office environments they are not monitored as a priority alert. The physical component bypasses the entire technology stack.
The social engineering component is similarly difficult. Security awareness training and phishing simulations are oriented almost entirely around digital attack vectors. A well-prepared operative at reception claiming to be from the firm’s managed services provider is not a scenario that most staff have been trained to handle. The attack exploits the same assumptions that make offices functional: that people who show up and say they are IT are probably IT.
This is not a novel concept in general terms. Physical social engineering is as old as the field. What is notable here is an active criminal group systematically deploying it at scale against a specific sector, after digital access fails, as a documented step in an otherwise technology-light attack chain.
What to do
Reception and physical access controls: No external IT support should be admitted without advance confirmation from someone within the firm’s actual IT team. Confirmation calls must go to an independently verified internal number, not to a number provided by the visitor. Front desk staff need explicit guidance on this.
USB device controls: Endpoint policy should block unauthorised USB storage devices. Group Policy on Windows and equivalent controls on macOS can enforce this without complex tooling. Most legal offices do not have this in place. Now is a good time to check.
Remote desktop requests: Any unexpected request for remote access arriving via email or phone call should be treated as hostile until verified through an independent channel. This is SRG’s primary digital entry vector and the most common failure point.
Indicators from the FBI FLASH:
- Unidentified individuals on premises claiming to be IT support
- Unexpected remote desktop session requests from someone claiming to be the internal helpdesk
- Phishing emails referencing subscription charges with instructions to call a support number
- USB drives connected to workstations by unrecognised individuals
The FLASH document is publicly available at IC3.gov. Legal sector IT and security leads should distribute it to staff. Firms that use external managed service providers should brief those providers directly on the impersonation angle.
The immediate question for any law firm that has not done a physical access review recently: who could walk into your offices right now and convince the front desk they should be at a workstation?