Silent Ransom Group Sends Operatives Into Law Firm Offices: 38 Firms Already Leaked
The FBI issued a FLASH alert warning that the Russia-linked Silent Ransom Group has escalated attacks on U.S. law firms by sending operatives physically into offices under false IT support pretexts, with over 38 firms already leaked. The group uses USB drives and legitimate file-transfer tools like WinSCP and Rclone to exfiltrate sensitive data, including attorney-client communications and litigation records, from firms like Orrick, Herrington & Sutcliffe, Jones Day, and Wood Smith Henning & Berman.
The FBI warned in a FLASH alert on May 26, 2026, that the Russia-linked Silent Ransom Group (SRG) has escalated its attacks on U.S. law firms by deploying operatives to physically infiltrate offices under the guise of IT support. The group has already leaked data from over 38 firms, with researchers estimating more than 100 total attacks since 2023, including high-profile breaches at Orrick, Herrington & Sutcliffe, Jones Day, and Wood Smith Henning & Berman in early 2026. The FBI’s alert highlights a new tactic: after failed remote access attempts, SRG operatives arrive on-site, claiming to be IT staff, and connect USB drives to workstations to exfiltrate data using tools like WinSCP or Rclone. These utilities evade antivirus detection, allowing swift extraction of sensitive files. The group’s minimal privilege escalation strategy prioritizes speed over deep system access. Law firms are prime targets due to their possession of privileged attorney-client communications, merger documents, intellectual property records, and confidential financial data. The threat of public exposure or adversarial use of this material creates potent extortion leverage, difficult to mitigate even by paying ransoms. Security experts note SRG’s willingness to invest in physical intrusions, a tactic less common among other ransomware groups. The FBI’s warning marks its second alert on SRG in 12 months and the first at FLASH severity for this actor, signaling heightened urgency. The group’s attacks surged in early 2026, with recent claims of breaching Ropers Majeski on May 6. Researchers suggest SRG may employ gig workers, potentially unaware of their involvement in criminal activity, to execute these physical intrusions. The alert emphasizes the need for law firms to verify IT personnel identities, restrict unauthorized device access, and monitor for unusual file transfers. SRG’s blend of digital and physical tactics underscores the evolving sophistication of cyber extortion threats targeting high-value data sectors.
This content was automatically generated and/or translated by AI. It may contain inaccuracies. Please refer to the original sources for verification.