Silent Ransom Group Targets Businesses With Fake IT Support And In-Person Data Theft

A cybercrime group known as Silent Ransom Group is escalating its extortion tactics by impersonating IT support staff, and in some cases physically entering offices to steal data from company computers.

Cybersecurity researchers from Google Mandiant and Google Threat Intelligence Group have warned that the group, also tracked as UNC3753, Luna Moth and Chatty Spider, targeted dozens of organisations across the United States between January and May 2026.

The campaign has focused primarily on professional services, legal and financial firms, with law firms remaining a major target because of the sensitivity of the client information they hold.

Unlike many ransomware groups, Silent Ransom Group does not usually rely on encrypting company files and demanding payment for a decryption key. Instead, the group focuses on gaining access quickly, stealing sensitive documents and then pressuring victims to pay by threatening to leak or sell the stolen data.

The group’s tactics centre on social engineering. Attackers pose as internal IT helpdesk or security staff and contact employees by phone or email. The aim is to convince the target that there is a legitimate technical issue, such as a security concern, data migration problem or invoice-related matter.

If the victim engages, the attacker attempts to move the conversation into a remote support session. From there, they may persuade the employee to grant access to their computer or install legitimate remote access software. Because the tools involved are often widely used for genuine IT support, the activity can be harder for automated security systems to detect.

Google Mandiant said the group’s operations can move quickly, with some attacks progressing from initial contact to data theft and extortion within a single business day. In some cases, data searches and theft have reportedly begun within an hour.

The most striking development is the use of in-person intrusions. The FBI has warned that, when remote social engineering fails, Silent Ransom Group actors may send someone to the victim’s workplace posing as an IT support worker. That individual then attempts to gain access to an employee’s computer under the pretence of fixing an issue, creating a backup or imaging a device.

Once physical access is obtained, the attacker may use removable storage to copy files directly from the machine. The FBI has identified unauthorised USB drives, external hard drives and unknown individuals claiming to be IT personnel as possible warning signs of this style of attack.

The stolen information can include legal agreements, tax records, financial documents, personally identifiable information, corporate files and client data. For law firms, the stakes can be especially high because files may contain privileged communications, merger and acquisition material, trade secrets and regulatory information.

After stealing data, Silent Ransom Group sends extortion demands, often soon after leaving the victim environment. The group may threaten to publish stolen files on a leak site, contact employees or notify clients in an effort to increase pressure on the victim organisation.

The campaign highlights a growing problem for businesses: cybersecurity is no longer only about defending networks from malware. Attackers are increasingly blending phishing, voice calls, trusted software and physical access to bypass traditional defences.

That makes staff verification procedures more important. Businesses should ensure employees know how to confirm whether an IT support request is genuine before granting remote access, installing tools or allowing someone to touch a device. Any unexpected IT contact, especially one involving urgency, remote access or physical access to a workstation, should be independently verified through an approved internal channel.

Organisations should also restrict the use of remote access tools, monitor for unusual installation activity, enforce multi-factor authentication, limit USB storage access and log unusual file transfers to cloud storage or external destinations.

Physical security teams also have a role to play. Reception staff, office managers and employees should be trained to challenge unknown visitors claiming to be technical support, even if they appear confident or use familiar terminology. Contractors and IT visitors should be checked against scheduled appointments and verified through company contacts before being allowed near staff devices.

For Australian businesses, the warning is relevant even though the latest campaign has focused on the United States. The same techniques can be used anywhere, and professional services firms, legal practices, accounting firms and financial advisers hold exactly the kind of sensitive client data extortion groups want.

The Silent Ransom Group campaign is a reminder that attackers do not always need a sophisticated exploit to breach a company. Sometimes they only need a convincing story, a phone call and an employee who believes they are helping the IT department.

The old boundary between cyber security and physical security is becoming less useful. Businesses now need to defend both the network and the front door.

Photo Credit: DepositPhotos.com