The Federal Bureau of Investigation (FBI) has issued a stark warning about a sophisticated ransomware group known as Silent Ransom Group (SRG), which has escalated its operations by sending operatives in person to insert USB drives into victims' computers and steal sensitive data. This alarming tactic marks a significant shift in the group's modus operandi, moving from remote social engineering to physical intrusion.

Active since at least 2022, SRG has primarily targeted law firms in the United States since 2023. Traditionally, the group relied on callback phishing emails and social engineering calls, pretending to assist victims in canceling subscription fees. However, in a May 2025 alert, the FBI detailed how SRG began using phishing emails containing links to remote access software, allowing attackers to quickly exfiltrate data from compromised systems.

Now, the group has refined its approach. According to a new FBI advisory, SRG actors are posing as employees from the victim's own IT department. They either directly call employees or send phishing emails urging them to contact a number that connects them to the fake IT support. During the call, the attackers instruct employees to grant remote access to their machines. If this remote access attempt fails, the group escalates to an unprecedented level: they dispatch a physical operative to the victim's location, posing as an IT technician.

The In-Person Attack Vector

The physical operative claims they need to image the device or create a backup file to mitigate potential impacts from a phishing email. Once granted physical access, the operative inserts a USB drive or external hard drive into the victim's computer. From there, the attackers escalate privileges and immediately begin exfiltrating data, without deploying file-encrypting ransomware. This strategy allows them to avoid common ransomware detection mechanisms.

The FBI notes that SRG uses legitimate tools for data exfiltration, such as WinSCP (Windows Secure Copy) or a customized version of Rclone. In some cases, they copy data to internal file-sharing platforms like Google Drive and Microsoft OneDrive, further blending in with normal network traffic. After the data is stolen, the group contacts the victim and threatens to sell or publish the information online. To increase pressure, they also contact the victim's employees and clients.

Stealth and Evasion Techniques

One of the most concerning aspects of SRG's recent campaign is the minimal forensic footprint left on compromised machines. The FBI warns that the attacks leave few artifacts, and traditional antivirus products are unlikely to flag the intrusion because SRG relies on legitimate system management or remote access tools. This makes detection and attribution exceptionally difficult for security teams.

The use of physical operatives also bypasses many cybersecurity layers that focus on network-based threats. Organizations may have robust email filtering and endpoint detection, but face-to-face social engineering requires a different kind of defense—employee vigilance and strict physical access protocols.

Background on Silent Ransom Group

Silent Ransom Group first emerged in 2022, targeting organizations across multiple sectors, with a particular focus on legal firms. Law firms are attractive targets because they hold vast amounts of confidential client data, including intellectual property, merger and acquisition details, and personal information. The group's early campaigns relied heavily on callback phishing, where victims receive a phishing email and are instructed to call a number to resolve a fake issue. During that call, the attackers trick the victim into installing remote desktop software.

Over time, SRG has evolved its social engineering scripts to appear more legitimate. By impersonating internal IT support, they exploit the trust employees place in their own help desk. The shift to physical presence demonstrates the group's willingness to invest resources in sophisticated attacks that have a higher chance of success.

Broader Implications for Cybersecurity

The FBI's alert highlights a growing trend in ransomware attacks: the combination of cyber and physical tactics. While in-person attacks are still rare, they represent a significant escalation that security professionals must prepare for. The use of USB drives to exfiltrate data also echoes earlier spycraft techniques, adapted for modern extortion schemes.

Organizations are now advised to implement strict identity verification procedures for anyone claiming to be from IT support, even if they appear in person. This includes checking badges, verifying through internal communication channels, and requiring pre-arranged appointments. Additionally, companies should limit physical access to sensitive areas and ensure that employees are trained to challenge unannounced visitors.

Recommended Defenses

The FBI recommends a multi-layered defense strategy. First, verify the credentials of all individuals with access to company assets, whether remotely or physically. Limit access to sensitive data based on the principle of least privilege. Train employees to recognize phishing attempts—both email and voice—and to never grant remote access without explicit authorization from a verified manager.

Organizations should also implement phishing-resistant multi-factor authentication (MFA), such as hardware tokens or biometric verification. Block access to commonly exploited ports and disable remote access protocols when not in use. Furthermore, disable permissions for external drive installation on employees' workstations, unless explicitly needed and monitored.

Regularly backing up all company data to offline or immutable storage can mitigate data loss in the event of an intrusion, though in this case SRG focuses on exfiltration rather than encryption. Maintaining comprehensive logging and monitoring for unusual data transfer activities can also help detect exfiltration attempts early.

Industry Response and Future Outlook

The legal industry, in particular, is on high alert following these revelations. Many law firms are reassessing their physical security policies and conducting tabletop exercises that include scenarios with in-person attackers. Cybersecurity vendors are also developing new detection methods for anomalous physical access patterns.

As ransomware groups continue to innovate, the line between cybercrime and physical crime blurs. The FBI's warning serves as a critical reminder that defense must encompass both digital and physical realms. Employees at all levels must be aware that attackers may go to great lengths, including showing up at the front door, to compromise sensitive data.

The Silent Ransom Group's latest campaign is a stark illustration of how threat actors adapt and evolve. While the group has yet to deploy encryption in these attacks, the exfiltration-only approach eliminates the need for ransomware deployment and reduces the noise that might alert security teams. The pressure from threats to publish stolen data can be equally devastating to organizations, especially those handling highly confidential client information.

Security experts urge organizations to stay informed about emerging tactics and to share threat intelligence with partners and industry groups. The FBI's alerts, such as this one, are valuable resources for staying ahead of adversaries. By understanding the methods of groups like SRG, organizations can better prepare their defenses and minimize the risk of a costly data breach.

Source: SecurityWeek News