A cyber extortion group known for targeting law firms has adopted an unusually brazen tactic: sending people to victims’ offices while pretending to be IT support staff.
The Federal Bureau of Investigation has warned that Silent Ransom Group, a long-running data theft and extortion operation, is continuing to target U.S.-based law firms through a mix of phishing, phone-based social engineering and, in some cases, physical visits to victims’ workplaces.
The group, also tracked by cybersecurity researchers as Luna Moth, Chatty Spider, UNC3753 and Storm-0252, has been linked to attacks on the legal sector since at least 2023. Unlike many ransomware groups that encrypt files and then demand payment, Silent Ransom Group focuses on stealing sensitive data and using the threat of exposure to pressure victims into paying.
Registration Begins for FutureCrime Summit 2026, India’s Largest Cybercrime Conference
The FBI said the attackers typically begin by contacting employees through phishing emails or phone calls while posing as members of an internal or external IT support team. Victims are persuaded to join remote access sessions or take steps that give the attackers control over their machines.
In some cases, when remote access attempts fail, the group allegedly sends an individual to the victim’s office. That person poses as an IT worker and attempts to physically connect a storage device to a workstation to copy sensitive information.
The tactic has alarmed cybersecurity experts because it blends traditional cybercrime with real-world intrusion. While criminal groups frequently use phishing, fake helpdesk calls and remote access tools, physically sending someone to a target’s workplace is considered extremely rare because it increases the risk of exposure and arrest.
Law firms remain an attractive target for such groups because they hold highly sensitive information, including client communications, litigation records, merger documents, intellectual property files and confidential business material. A successful data theft operation can create legal, reputational and regulatory pressure on both the firm and its clients.
The threat has grown more serious as ransomware and extortion groups shift from simple file encryption to targeted data theft. For law firms, the exposure of client data can be more damaging than temporary disruption of systems. This gives attackers greater leverage during extortion attempts.
FBI Intensifies Probe in ₹770 Crore Minnesota Healthcare Fraud Case
Cybersecurity researchers say Silent Ransom Group appears to understand the pressure points of the legal industry. The group’s campaigns are not necessarily high-volume compared with larger ransomware operations, but its focus on law firms and its willingness to invest time in social engineering have made it a persistent threat.
The FBI’s latest warning follows earlier alerts about the group’s activity against the legal sector. The agency has urged organizations to strengthen identity checks for IT support requests, verify unexpected calls through trusted internal channels and restrict the use of remote access tools.
Security teams have also been advised to monitor unusual login activity, review access privileges, disable unused remote administration tools and train employees to report suspicious IT support requests. Firms should ensure that any in-person technical visit is verified through a formal process before allowing access to devices or office systems.
The warning comes amid a broader rise in attacks on law firms and legal service providers. In recent months, prominent firms have disclosed cyber incidents involving stolen client materials and phishing-based intrusions. These cases have reinforced concerns that legal organizations are becoming priority targets for cybercriminals because of the value of the data they manage.
Experts say the incident also highlights a deeper challenge: employees are expected to trust colleagues, vendors and support staff to keep workplaces functioning. Cybercriminals exploit that trust by making their approach appear routine, urgent and helpful.
The FBI has encouraged victims to report suspected activity to law enforcement and preserve relevant evidence, including emails, phone numbers, remote access logs, device connection records and any details about individuals who attempted to visit office premises.
For law firms, the message is clear. Cybersecurity is no longer limited to firewalls, passwords and endpoint tools. In an environment where attackers may call, email and even walk through the door, physical security, employee verification and incident response must work together.
Silent Ransom Group’s tactics show how extortion actors are adapting to high-value sectors. The attack may begin with a simple call from someone claiming to be IT support, but the consequences can reach deep into privileged client relationships and confidential legal work.
