Ransomware Gang Sends Fake IT Workers to Offices in Person

Key Takeaways

• Silent Ransom Group now sends fake IT workers into victim offices to physically steal data
• At least 12 law firms were targeted between January and May 2026
• The FBI confirms multiple instances of attackers gaining physical access to corporate devices

From Phishing to Physical: A New Ransomware Tactic

Ransomware attackers have found a new way past your firewall: the front door. Google and the FBI issued warnings Friday about a cybercriminal gang that now sends fake IT workers directly into victims' offices. The imposters steal data using USB drives or help remote gang members connect to company computers.

The group, known as Silent Ransom Group (tracked by researchers as UNC3753), targeted at least 12 law firms between January and May 2026. Google's Mandiant and Threat Intelligence Group detailed the campaign in a new report, describing attacks that used "physical, in-person access" to bypass digital defenses entirely.

How the Attacks Work

The gang's playbook combines old-school social engineering with in-person deception. It typically starts with phishing emails and follow-up phone calls. Attackers pretend to be the company's IT support, building trust before the physical visit.

Once inside, the fake technicians connect to employee workstations. They use USB drives to copy files or install remote access tools that let other gang members connect later. Stolen data includes contracts, Social Security numbers, and financial records.

“Mandiant has investigated various matters where adversaries planted insiders, bribed employees, or physically entered buildings to facilitate cyberattacks.”

— Charles Carmakal, Chief Technology Officer, Mandiant

The FBI confirmed the tactic in a statement to TechCrunch: "We can confirm we have seen multiple instances of individuals impersonating IT support who have gained or attempted to gain physical in-person access to victim companies' offices and/or devices."

Extortion Without Encryption

Unlike traditional ransomware that encrypts files and demands payment for a decryption key, Silent Ransom Group skips the encryption step. Instead, they steal data and threaten to publish it on their leak site if victims don't pay.

The gang emails victims directly with threats. In one message obtained by Google, the hackers wrote: "In case of ignorance or no agreement, We will notify your employees, partners and customers, after which We will publish your data."

This data-theft-only model has become increasingly common among cybercriminals. It's faster to execute, harder to detect, and creates the same pressure on victims who can't afford public exposure of sensitive client information.

Why Law Firms Are Prime Targets

Law firms hold exactly the kind of data that makes extortion effective: privileged client communications, merger details, litigation strategy, and personal financial records. A leak doesn't just embarrass the firm. It can destroy client relationships and trigger malpractice claims.

The physical access tactic works particularly well against professional services firms. Employees expect visits from IT contractors. A confident person with a clipboard and a story about "scheduled maintenance" often gets waved through without verification.

What Security Teams Are Saying

The security community response has been blunt. Discussions on r/netsec and Hacker News emphasize that physical security and cybersecurity can no longer be treated as separate disciplines.

“Organizations must now treat physical security and cybersecurity as a single, integrated discipline; a badge swipe is now a digital attack vector.”

— Cybersecurity Consultant, Industry Defense Forum

Some professionals are advocating for strict physical identity verification protocols for anyone claiming to be IT support. Others recommend disabling USB ports on corporate devices entirely, accepting the inconvenience as a necessary defense against physical data theft.

How to Protect Your Organization

Defending against this threat requires changes to both technical controls and employee behavior. Here's what security teams should prioritize:

• Verify all IT support visits through a separate channel before granting any access
• Require photo ID and confirmation calls to known IT department numbers
• Disable USB ports on workstations or use endpoint protection that blocks unauthorized devices
• Train reception and administrative staff to challenge unfamiliar visitors
• Implement strict visitor logging with escort requirements for non-employees

The FBI's May alert specifically warned organizations to be suspicious of unsolicited IT support calls and visits. If someone shows up claiming to fix a problem you didn't report, that's a red flag.

The Bigger Picture

This campaign represents a significant shift in ransomware operations. Digital defenses have improved enough that some attackers find it easier to walk through the door than to break through the network perimeter.

Mandiant's Carmakal noted the company has seen physical infiltration tactics in other cases over the years. But the scale and coordination of Silent Ransom Group's campaign suggests this approach is becoming a standard playbook item, not just an occasional tactic.

For organizations that have invested heavily in network security while neglecting physical access controls, this is a wake-up call. Your most sophisticated firewall means nothing if an attacker can plug a USB drive into an unlocked workstation.

Frequently Asked Questions

What is Silent Ransom Group?

Silent Ransom Group (also tracked as UNC3753) is a cybercriminal gang that steals data from organizations and threatens to publish it unless victims pay. Unlike traditional ransomware groups, they don't encrypt files. They focus on data theft and extortion.

How do fake IT workers gain access to offices?

Attackers first build trust through phishing emails and phone calls pretending to be IT support. They then send someone in person claiming to perform maintenance. Without proper verification, employees often grant these imposters access to workstations.

Why are law firms being targeted?

Law firms hold highly sensitive client data including financial records, contracts, and privileged communications. A data leak can damage client relationships and expose the firm to malpractice liability, making victims more likely to pay extortion demands.

How can organizations defend against physical IT impersonation?

Verify all IT visits through a separate channel before granting access. Require photo ID, disable or monitor USB ports, train staff to challenge unfamiliar visitors, and implement strict visitor logging with escort requirements.

Is this type of attack common?

Physical infiltration has historically been rare compared to digital attacks. However, Google's Mandiant says it has seen this tactic in multiple cases over the years, and the scale of Silent Ransom Group's 2026 campaign suggests it's becoming more mainstream.

Source: TechCrunch / Lorenzo Franceschi-Bicchierai