Key Takeaways
- The Silent Ransom Group (SRG) has begun using in‑person impostors posing as IT support to gain physical access to law‑firm offices and steal data directly from computers.
- Tactics include delivering USB drives, establishing remote‑access connections, and leveraging screen‑sharing tools after convincing employees via phone calls or emails.
- SRG does not encrypt data; instead, it exfiltrates sensitive information and threatens public release on a leak site unless a ransom is paid.
- The gang also relies on traditional cyber‑attack methods such as phishing emails, follow‑up calls, and social engineering to build trust and facilitate remote access.
- Both Google’s Mandiant/Threat Intelligence Group and the FBI have confirmed multiple incidents of this hybrid physical‑digital approach targeting dozens of law firms from January through May 2024.
- The escalation underscores a growing trend where cybercriminals blend classic hacking with real‑world intrusion to bypass technical defenses.
Overview of the Silent Ransom Group’s New Tactics
Google’s Mandiant and Google Threat Intelligence Group released a report on Friday detailing how the Silent Ransom Group (SRG) has shifted part of its operation from purely remote attacks to in‑person infiltration. Between January and May 2024, the gang targeted “dozens” of victims, primarily law firms, by sending individuals who pretended to be IT support staff. These impostors entered offices, connected to employee workstations, and either copied data onto USB drives or established remote‑access tunnels for accomplices. The report notes that while SRG still uses familiar cyber‑tools, the addition of physical presence marks a notable escalation in its playbook.
Statements from Mandiant Leadership
Charles Carmakal, Chief Technology Officer at Mandiant, emphasized that the observed behavior is not isolated. He told TechCrunch that Mandiant has investigated multiple cases where adversaries planted insiders, bribed employees, or physically entered facilities to enable cyberattacks. Carmakal noted that such tactics have appeared in prior investigations over the years, but the current wave demonstrates a systematic and repeated use of in‑person access by SRG. His comments underline that the group’s method is a deliberate evolution rather than a sporadic anomaly.
FBI Warning and Confirmation
In the preceding month, the FBI issued an alert warning that SRG was targeting law firms with social‑engineering and phishing campaigns masquerading as IT support. The agency later confirmed to TechCrunch that it has witnessed multiple instances where individuals impersonated IT technicians to gain or attempt to gain physical entry to victim premises. The FBI’s statement aligns with Mandiant’s findings, asserting that these in‑person attempts are part of SRG’s broader scheme to exfiltrate data for extortion purposes.
Extortion Model Without Encryption
Unlike traditional ransomware that locks victims’ files via encryption, SRG employs a data‑leak extortion model. After stealing confidential material—such as contracts, Social Security numbers, tax records, and internal communications—the gang threatens to publish the data on its own leak site if the victim refuses to pay. The report cites a typical ransom note: “In case of ignorance or no agreement, We will notify your employees, partners and customers, after which We will publish your data.” This approach bypasses the need for decryption keys while still exerting significant pressure on victims to comply.
Hybrid Use of Phishing, Phone Calls, and Screen‑Sharing
In addition to physical intrusions, SRG continues to rely on conventional cyber‑attack vectors. The group sends phishing emails that appear to originate from trusted IT departments, followed by phone calls where callers pose as support technicians. During these calls, attackers use verbal instructions to guide victims toward downloading screen‑sharing software or utilizing built‑in features of platforms like Zoom or Microsoft Teams. By convincing the target to share their screen, the hackers can bypass security controls, harvest credentials, and establish remote‑access sessions without raising immediate suspicion.
Significance of the Physical‑Digital Blend
The report concludes that SRG’s willingness to combine old‑school intrusion with modern hacking represents a novel and significant escalation in cybercrime tactics. While most threat actors rely exclusively on malware, phishing, or remote exploits, SRG’s use of impostors to gain direct hardware access demonstrates a readiness to invest resources in real‑world operations to defeat technical defenses such as endpoint detection, network segmentation, and multi‑factor authentication. This hybrid approach may prompt organizations to broaden their security posture beyond digital controls, incorporating stricter physical‑access verification, visitor management, and employee awareness training to mitigate the risk of similarly brazen attacks.