Cybercriminals are getting more creative, and in some cases, far more physical. A recent FBI warning has highlighted an unusual tactic used by the Silent Ransom Group, where attackers are not only relying on phishing emails and phone calls, but may also show up at company offices in person while pretending to be IT staff.
The group, also known as Luna Moth, Chatty Spider and UNC3753, has reportedly been active since at least 2022. While it has targeted several industries including insurance, finance and healthcare, law firms appear to be one of its main targets. This makes sense from a criminal perspective because law firms often handle sensitive client records, legal documents and confidential business information.
A Different Kind Of Social Engineering Attack
Most people think of cyberattacks as something that happens entirely online. An employee clicks a phishing link, downloads a malicious file, enters credentials into a fake login page, or grants access to someone over the phone. In this case, the attack still begins with familiar social engineering tactics, but it can escalate into something more direct.
According to the FBI, Silent Ransom Group actors commonly impersonate internal IT support staff. They may send phishing emails that instruct employees to contact fake IT support, or they may call employees directly and pressure them into opening a remote desktop session. Once the employee grants access, the attackers can begin moving toward data theft.
What makes this case stand out is what reportedly happens when the usual remote methods do not work. Instead of giving up, the group may send someone physically to the office. That person then claims to be from IT and asks for access to the employee's device, often using an excuse such as needing to create a backup or investigate an issue linked to the earlier phishing email.
Why Physical Access Is So Dangerous
Physical access changes the risk level immediately. If an attacker can reach a company device directly, they may be able to bypass some of the usual security controls that protect against remote threats. Even something as simple as inserting a storage device into a computer can create serious exposure if the employee believes the person is legitimate.
This is why identity verification is so important. In many organisations, employees are trained to be cautious with suspicious emails, but they may not apply the same level of suspicion to someone standing in front of them wearing a convincing badge or speaking confidently as "IT support." Attackers understand this human weakness very well.
The lesson here is simple: social engineering is not only digital. It can happen over the phone, through email, in chat messages, and even face-to-face at the office door.
How The Group Uses Stolen Data
Silent Ransom Group is known for data theft and extortion. After gaining access to a victim's device, the group reportedly steals information and later uses it to pressure the organisation into paying a ransom. The threat usually involves selling or publishing the stolen data if the victim refuses to negotiate.
The FBI also noted that the group may contact employees or even clients of the victim organisation to increase pressure. This kind of tactic is designed to create reputational concern and urgency, especially for businesses that handle confidential or regulated information.
Another concern is that recent SRG campaigns have reportedly left very few traces on compromised machines. The FBI also warned that traditional antivirus tools may not detect the intrusion easily because the attackers often use legitimate system management or remote access tools. This makes the activity harder to spot compared with attacks that rely on obvious malware.
Why Law Firms Are Attractive Targets
Law firms can be especially attractive to ransomware and extortion groups because they often hold sensitive information on behalf of clients. This may include legal disputes, financial records, contracts, corporate matters, personal data and privileged communications.
Even if a law firm has strong technical systems, attackers may still try to exploit human processes. Help desk workflows, password reset procedures, remote support requests and visitor handling can all become weak points if they are not properly controlled.
This is why cybersecurity cannot depend only on firewalls, antivirus software and MFA. Those tools matter, but staff awareness and operational discipline are just as important.
What Organisations Should Do
The FBI recommends that organisations verify anyone claiming to be from internal IT before granting either remote or physical access to company systems. This applies even if the request sounds urgent or appears to come from someone familiar.
Companies should also train employees to recognise callback phishing, where a phishing email encourages the target to call a fake support number. Staff should be reminded that real IT teams should follow proper internal procedures, and any unusual request should be confirmed through official channels.
MFA should be enabled wherever possible, and organisations should restrict the use of unauthorised remote access tools. Help desk procedures should also be reviewed, especially for password resets, account recovery and access requests. If attackers are trying to impersonate IT support, then the IT support process itself must be hardened.
Physical security also needs attention. Reception teams, security guards and front-line staff should know how to verify visitors claiming to be from IT, vendors or support providers. A simple callback to an internal IT manager through a known company number can prevent a serious incident.
Final Thoughts
The Silent Ransom Group case is a strong reminder that cybersecurity is not only about technology. Attackers are increasingly blending digital deception with real-world tactics, and organisations need to be prepared for both.
The idea of someone walking into an office and pretending to be IT support may sound unusual, but it works because it targets trust, urgency and routine workplace behaviour. Employees want to be helpful, especially when they believe they are dealing with internal support. That is exactly what attackers are trying to exploit.
For businesses, the response should be practical and immediate. Verify identities, strengthen help desk procedures, train staff, control remote access tools and make sure physical access to devices is treated seriously. In today's threat landscape, the person at the office door can be just as much of a cybersecurity risk as the suspicious email in the inbox.
Comments