FBI: Extortion Gang Walks Into Law Firms Posing as IT Staff

The Silent Ransom Group has escalated from phone-based social engineering to physically walking operatives into law firm offices, plugging USB drives into computers, and exfiltrating sensitive data. The FBI issued a FLASH alert on May 26 warning that data from more than 38 firms has already been published on the gang's leak site.

The Russia-linked extortion gang has targeted U.S. law firms since 2023, but this tactical shift to in-person operations represents a significant escalation. Researchers tracking the group say the total attack count exceeds 100, with activity surging sharply in early 2026.

How the Attack Chain Works

It starts with a phone call. SRG operatives contact law firm employees while impersonating the firm's own IT department, claiming to be calling about a security update, a system issue, or a required software installation. The call establishes legitimacy and primes the target for what comes next.

During the call or in follow-up communications, employees are directed to open a remote desktop session—a standard support scenario that doesn't raise immediate suspicion. But the real intrusion is physical.

After establishing contact, SRG sends an individual posing as an IT support technician to the firm in person. Once inside, the operative inserts a storage device into an employee workstation to exfiltrate data directly. No network exploitation required—just a USB drive and social engineering sophisticated enough to get past reception.

Why Law Firms

Law firms hold an unusually exploitable combination of data. Attorney-client privileged communications, merger and acquisition documentation, intellectual property litigation records, confidential client financial information—the threat of this material becoming public creates extortion leverage that's difficult to quantify.

Notable victims include Orrick, Herrington & Sutcliffe, a firm with more than 25 global offices and over $1.5 billion in annual revenue. Their data was published publicly after declining SRG's ransom demand in January 2026.

The legal industry's traditional resistance to aggressive IT security measures—partners who resist MFA, BYOD policies that predate modern threats, physical office layouts designed for client comfort rather than access control—makes firms particularly vulnerable to this hybrid approach.

Social Engineering Meets Physical Intrusion

This campaign demonstrates how social engineering continues to evolve. Threat actors are literally walking into buildings and taking what they want, using pretexts refined through years of vishing (voice phishing) operations.

The USB-based exfiltration also bypasses network-level monitoring entirely. Data loss prevention tools watching network traffic won't catch an operative copying files to a removable drive. This mirrors techniques we've seen from nation-state actors conducting corporate espionage—techniques now being adopted by financially motivated extortion gangs.

Recommendations for Law Firms

1. Verify all IT support requests - Establish callback procedures using known-good phone numbers, not numbers provided by the caller
2. Implement strict visitor protocols - Require escort for all visitors, even those claiming IT or vendor credentials
3. Disable USB ports - Use endpoint protection to block unauthorized removable storage devices
4. Train reception staff - Front desk employees are the first line of defense against physical infiltration
5. Require badge access to workstations - Limit physical access to computers, not just buildings

Why This Matters

The shift to physical intrusion signals that SRG has determined some targets are too valuable to compromise remotely. When attackers are willing to put operatives at risk of arrest by entering buildings, it suggests the payoff from law firm data is worth the operational exposure.

For security teams, this means physical security and information security can no longer be treated as separate domains. The same threat actor briefings covering ransomware gangs now need to inform physical access policies.

Law firms in particular should treat this FBI warning as a call to action. If you're handling high-value litigation, M&A work, or represent clients that would attract nation-state interest, you're a target. The question isn't whether SRG will call—it's whether your staff will recognize the social engineering when it happens.