Extortion crews are visiting law firms pretending to be tech support, FBI warns

The FBI is warning unsuspecting lawyers that their firms continue to be an active target for members of a longstanding extortion crew. Silent Ransom Group has been operating since 2022, by the FBI's reckoning, and its latest message [PDF] about the gang comes almost exactly a year after its last. The group is still targeting US law firms and their staff, and the criminals are pretending to be company IT staff. It also warned last year that the callback phishing specialists had started physically walking into the law firms' offices when remote social engineering attempts go south. The FBI's latest advisory reaffirms these findings, with fresh attacks reported in Spring 2026. Law firms should be locking up their USB ports because the extortion crew is still sending members to plug in their thumb drives into the computers, for when they can't convince employees to surrender remote access. In these scenarios, they rock up to the victim they've tried to phish and socially engineer from behind a phone or computer screen, continue the facade of being a company IT rep, and then claim they need to image the person's device or create a backup file to assess the damage of their own phishing email. What they're actually doing is copying important files onto said thumb drive, which SRG will later use to extort the law firm. The FBI didn't say exactly how many of these in-person callouts SRG has made, but it was evidently enough to include in a fresh advisory on the group's methods and tactics. According to the advisory, these attacks were first reported in Spring 2026. SRG in brief SRG's target industries used to be broader than just legal. The hack-and-leak group has been known to target organizations operating in various industries, but the legal sector has remained a common theme since 2023. The FBI said in its advisory on the group last year that it believes SRG consistently targets US law firms likely due to the highly sensitive nature of legal industry data." When they're not sending crooks into office blocks, SRG's primary goal is to achieve their aims through callback phishing. Using SMS messages or emails, group members would single out employees at target companies, asking them to call a number while impersonating real IT staff. If the staffer fell for the scheme, they'd call up, and the SRG IT imposter would attempt to convince them to grant access to a remote desktop session, during which they would elevate their privileges and set about stealing data to use as extortion leverage. In some cases, SRG will run WinSCP or a disguised version of Rclone to scoop up files of interest. In others, they are known to share those documents using internal file-sharing platforms such as Google Drive or Microsoft OneDrive. Before the callback phishing methodology, the group would send emails claiming that a fake subscription had been authorized that would charge small sums to the target's account each month. The email included a phone number to call in order to cancel the subscription, and once on the call, the crooks would convince the target to install remote access software, and rinse-repeat the data theft playbook. SRG is not known for using ransomware, but it operates a data leak site (DLS) just like any other extortion crew and charges victims to return the data they stole, threatening to leak it online if they refuse to pay. Recent alleged victims of the group have included law giant Jones Day, the legal eagles favored by US president Donald Trump during both his election campaigns. SRG listed Jones Day on its DLS, and the law firm confirmed a cyber phishing incident" in April, but did not name SRG as the culprits. Your country needs you The FBI pleaded with the public to send it any evidence of SRG in action to aid future investigations. Of particular use would be phone numbers used to contact the crooks, copies of the phone call transcripts and phishing emails, cryptocurrency wallet information, and identifying information of the individuals who step foot in office buildings. As for how to prevent attacks from SRG or others adopting similar methods, the FBI recommended that organizations disallow connecting external drives to company-issued devices, especially those that store confidential or otherwise sensitive information. Verifying the credentials of each person walking into the building wouldn't hurt, either. The usual advice applies for the group's remote attacks: limiting access to sensitive data from less-secure networks and requiring phishing-resistant MFA for as many services as possible. The FBI also recommends blocking port 22 access, which would prevent encrypted remote access, and investing in robust staff training programs so they know not to let outsiders plug hardware into their machines. (R)