Hackers are knocking on office doors pretending to be IT staff
The Silent Ransom Group (SRG) is targeting law firms using social engineering techniques and an unusual tactic for cybercriminals: showing up at victims’ offices in person while posing as IT staff, the FBI warns.
The group, also known as Luna Moth, Chatty Spider, and UNC3753, has been active since at least 2022 and has targeted companies in several sectors, including insurance, finance, and healthcare, though law firms remain its primary target.
The FBI said SRG actors use phone calls and phishing emails to pose as employees from a victim’s IT department. The phishing emails direct targets to contact fake IT support, while phone calls pressure employees into opening a remote desktop session and granting access to their systems.
If those attempts fail, SRG sends a threat actor to company offices to gain physical access to devices. The person then claims they need to create a backup or image the system because of possible issues linked to the phishing email before inserting a storage device into the computer.
After gaining access to a victim’s device, SRG steals data and uses it to extort victims through ransom emails threatening to sell or publish the information on its leak site. The group also calls employees or clients of victim organizations to pressure them into starting ransom negotiations.
Since no arrests have been made, the FBI has not specified whether the person who arrives at the victim’s office is a member of the group or someone hired only for that particular task.
The latest FBI alert follows a May 2025 private industry notification that warned SRG had spent more than two years targeting U.S. law firms through callback phishing and social engineering campaigns.
“Recent SRG campaigns left few artifacts on compromised machines. Traditional antivirus products are also unlikely to flag the intrusion because SRG generally uses legitimate system management or remote access tools to carry out the attack,” the FBI alert reads.
To prevent SRG attacks, the FBI advises organizations to verify anyone claiming to be from internal IT support before granting remote or physical access to company systems. The agency also urges companies to train employees to identify callback phishing and social engineering attempts, use MFA, restrict unauthorized remote access tools, and review help desk procedures used for password resets and access requests.