Even your physical offices are not safe from hackers: experts warn that Silent Ransom Group breaks into companies to launch ransomware and extortion campaigns.

SRG Affected Dozens of US Companies Through IT Support Spoofing, Including In-Person Intrusions
Attackers stole data via USB exfiltration on the site and then extorted victims
Group linked to BazarCall, Conti and Ryuk, with law firms as main focus

Hackers known as Silent Ransom Group (SRG) have been targeting different companies in the US, compromising “dozens” between January and May 2026, experts have warned.

Cybersecurity researchers at Google Mandiant and Google Threat Intelligence Group (GTIG) have echoed the warnings shared by the FBI, pointing out how the hackers, also known as Chatty Spider, Luna Moth or UNC3753, primarily targeted professional, legal and financial services companies.

Their tactic is simple: impersonate the IT department, trick victims into granting them access to their computers, and then use that access to deploy information thieves or steal files on the spot.

Enter the offices

In some cases, hackers would call their victims on the phone and pose as IT support, similar to what ShinyHunters used to do last year. However, SRG took the scam to a whole new level by having its members enter their targets’ offices (in person) and use the computers on the spot.

“By sending someone in person to the victim’s location to facilitate the intrusion, SRG actors extract data to an external hard drive or USB drive inserted by the threat actor into the victim’s computer,” the FBI said at the time.

Once the data is stolen, the attackers begin ransom negotiations and offer to delete the files in exchange for payment. Victims are usually warned that data will be publicly leaked if they refuse to comply, and a dedicated website is also created for that purpose.

SRG was first seen in 2022 and while it affected organizations across different industries, it is primarily focused on US law firms. Some sources said the group was previously linked to BazarCall campaigns, as well as Conti and Ryuk ransomware incidents.