For some ransomware crews, the fastest route to a payout may no longer be locking systems. It may be walking through the front door.
The FBI has warned that Silent Ransom Group, a cybercrime group known for phishing and phone-based IT support scams, has expanded its tactics to include physical impersonation. According to the bureau, the group may send an actor to a victim’s workplace to gain access and insert a storage device when remote access attempts fail.
That shift makes the threat harder to contain with email filters and endpoint tools alone. For organizations handling legal, financial, healthcare, or insurance data, the risk now extends from the inbox to the front desk.
Details about the FBI warning
According to BleepingComputer, the bureau released a notification in May 2025 warning about the group, which it says has been targeting US companies since 2023 after breaking away from the now-defunct Conti group.
Although it primarily targets US-based law firms, the FBI says it has also been targeting the financial, healthcare, and insurance sectors, most likely because these sectors possess highly sensitive information.
Also tracked under the aliases Luna Moth, Chatty Spider, and UNC3753, the group’s mode of operation (MO) involves posing as IT support teams via email or phone calls to trick its victims into granting it access to work systems “through legitimate remote access tools.”
According to the bureau, these actors have begun moving beyond remote compromises to physical impersonation, using their typical IT support facade. While they’ve maintained the initial MO, the bureau notes that when such attempts go south, they switch to the physical impersonation playbook.
“While on the phone, the SRG actor directs the employee to grant access to a remote desktop session. If that attempt fails, SRG sends a threat actor to the victim’s location to gain access to insert a storage device into the victim’s computer.”
Upon gaining physical access to the device, the threat actor plugs a storage device into the target’s computer and exfiltrates data under the guise of either inspecting the system or providing technical assistance.
That progression helps explain why the bureau may have revisited the group as the attacks have now spread past remote fraud, landing right inside the workplace itself, with victims falling for them. For organizations handling sensitive information, the shift widens the number of paths attackers may use to reach valuable data.
What happens after physical access
Unlike traditional ransomware groups, SRG does not encrypt its victims’ data. Rather, it focuses on pressuring them into ransom payments just so the data doesn’t get exposed. However, it operates a Data Leak Site (DLS) from which it has reportedly dumped data from several victims.
According to a report from The Register, the group listed Jones Day, the legal firm used by President Trump during his election campaigns, on its DLS. Although the firm reported a “cyber phishing incident” in April, SRG wasn’t named.
In its advisory, the FBI noted a couple of recommendations organizations can follow to remain safe. These include training staff to detect and report phishing attempts, implementing access control and communication policies, and blocking channels for data exfiltration.
Organizations are also urged to train staff to verify the identities of anyone entering the company’s premises and to preserve a copy of each ID.
The FBI asked organizations with information about SRG activity to contact their local FBI field office or submit a report through the Internet Crime Complaint Center.
Also read: A hacker’s claimed OnlyFans database sale shows how exposed personal details can be used as leverage for identity theft, phishing, and extortion.
Read the full article here
