The Silent Ransom Group has taken its campaign against American law firms into the physical world. In a FLASH-severity alert issued May 26, 2026 — the FBI’s highest-urgency advisory format — the bureau warned that the Russia-linked extortion gang has begun sending operatives directly into law firm offices, impersonating IT support personnel to gain hands-on access to systems when remote social engineering fails.

The escalation marks a significant tactical evolution for a group that has operated primarily through phone and phishing channels since at least 2023. It also represents the first FBI FLASH-level warning about Silent Ransom Group (SRG), suggesting the bureau views the new physical intrusion tactic as a materially increased threat requiring immediate attention.

How the Attack Chain Works

The standard SRG playbook begins with a phone call or phishing email. Operatives contact law firm employees while impersonating the firm’s own IT department, presenting the outreach as urgent — a security scan, a maintenance window, a follow-up to a phishing alert the employee supposedly triggered. The goal is to get an employee to open a remote desktop session, handing the operative interactive access to a workstation without deploying any malware.

When that remote approach fails — when employees are suspicious, don’t cooperate, or simply hang up — SRG sends a person.

An operative arrives at the office in person. They present themselves as IT support, often armed with enough social context about the firm (obtained through prior reconnaissance or open source intelligence) to appear credible. Once inside, they connect external devices, access workstations, or create persistent footholds that remote access alone couldn’t establish.

The FBI’s alert identifies specific indicators that law firms should treat as high-priority red flags:

  • Unauthorized USB drives or external hard drives connected to company computers
  • Unidentified individuals on premises claiming to be IT support
  • Unexpected remote desktop session requests from someone claiming to be internal helpdesk
  • Phishing emails referencing subscription charges with instructions to call a support number

Scale of the Campaign

At least 38 law firms have already had data published on SRG’s public leak site, indicating those organizations declined to pay the ransom or negotiations broke down. Researchers tracking the group say the total attack count exceeds 100, with activity surging sharply in early 2026.

The victim list includes some of the largest and most prestigious names in US law:

  • Orrick, Herrington & Sutcliffe — a firm with over 25 global offices and more than $1.5 billion in annual revenue — had its data posted publicly in January 2026 after refusing the group’s demand
  • Jones Day faced similar exposure in the first quarter of 2026
  • Wood Smith Henning & Berman was named in the same period
  • As recently as May 6, 2026, SRG claimed responsibility for a breach at Ropers Majeski

Law firms are uniquely attractive targets for data-focused extortion groups. They hold some of the most sensitive information in existence: M&A deal terms, litigation strategies, client communications protected by attorney-client privilege, regulatory submissions, patent filings, and real estate transaction details. The threat of publishing that data — not encrypting it, but simply leaking it publicly — creates enormous pressure to pay.

Why Law Firms Specifically

SRG’s focus on the legal sector is deliberate. Unlike hospitals, which face regulatory pressure and public scrutiny when they pay ransomware gangs, law firms operate in a space where confidentiality is foundational to the business model. A firm that has its client communications leaked suffers reputational damage that can be existential — clients leave, new business evaporates, and the firm may face bar association scrutiny for failing to protect privileged materials.

The group exploits this dynamic precisely. It does not encrypt. It does not demand cryptocurrency for decryption. It steals data, threatens to publish, and charges for silence — a cleaner extortion model that sidesteps some of the operational complexity of deploying ransomware while delivering comparable leverage.

SRG has operated in this mode since approximately 2023, when it emerged targeting law firms and other professional services organizations. The FBI’s first warning about SRG came roughly 12 months ago; Tuesday’s FLASH alert is its second in that period, and the severity upgrade reflects the bureau’s view that the in-person escalation represents a new threat tier.

Russia Nexus and Criminal Infrastructure

SRG is assessed as Russia-linked, though its precise relationship to Russian intelligence services remains unclear. The group appears to operate at the intersection of organized cybercrime and state-aligned operations — a familiar grey zone in which groups pursue financially motivated attacks while broadly serving Kremlin interests by targeting Western professional infrastructure.

The in-person component — sending operatives into US law offices — implies a level of organizational infrastructure that goes beyond typical cybercrime gangs. Physical presence in the United States requires either local operatives, recruited insiders, or individuals traveling with cover identities. The FBI alert does not detail how SRG is resourcing its on-the-ground operations.

What Law Firms Should Do Now

The FBI’s recommendations map to both the remote and physical attack vectors:

For the remote vector: Train staff to recognize vishing calls impersonating IT. Establish a verbal verification protocol — if IT calls you, hang up and call the internal helpdesk number directly. Never initiate a remote desktop session at the request of an inbound caller.

For the physical vector: Require badge access or escort for all visitors. Train reception and office staff to challenge unannounced individuals claiming to be IT. No IT work — including plugging in USB devices or accessing workstations — should occur without prior scheduling through formal channels and confirmation with a known IT contact.

For detection: Monitor for unexpected remote desktop sessions, unauthorized device connections, and any accounts accessing data outside normal working hours or patterns. SRG’s remote and physical intrusions both require some form of authenticated access to be useful — behavioral anomalies in access logs are the primary detection signal.

For firms that have already received contact from SRG — whether by phone, email, or in person — the FBI asks that you contact your local field office immediately and preserve all communications.

Sources