Ransomware Gang Sends Fake IT Workers to Offices in Person
Key Takeaways
- Silent Ransom Group now sends fake IT workers into victim offices to physically steal data
- At least 12 law firms were targeted between January and May 2026
- The FBI confirms multiple instances of attackers gaining physical access to corporate devices
From Phishing to Physical: A New Ransomware Tactic
Ransomware attackers have found a new way past your firewall: the front door. Google and the FBI issued warnings Friday about a cybercriminal gang that now sends fake IT workers directly into victims' offices. The imposters steal data using USB drives or help remote gang members connect to company computers.
The group, known as Silent Ransom Group (tracked by researchers as UNC3753), targeted at least 12 law firms between January and May 2026. Google's Mandiant and Threat Intelligence Group detailed the campaign in a new report, describing attacks that used "physical, in-person access" to bypass digital defenses entirely.
How the Attacks Work
The gang's playbook combines old-school social engineering with in-person deception. It typically starts with phishing emails and follow-up phone calls. Attackers pretend to be the company's IT support, building trust before the physical visit.
Once inside, the fake technicians connect to employee workstations. They use USB drives to copy files or install remote access tools that let other gang members connect later. Stolen data includes contracts, Social Security numbers, and financial records.
“Mandiant has investigated various matters where adversaries planted insiders, bribed employees, or physically entered buildings to facilitate cyberattacks.”
— Charles Carmakal, Chief Technology Officer, Mandiant
The FBI confirmed the tactic in a statement to TechCrunch: "We can confirm we have seen multiple instances of individuals impersonating IT support who have gained or attempted to gain physical in-person access to victim companies' offices and/or devices."
Extortion Without Encryption
Unlike traditional ransomware that encrypts files and demands payment for a decryption key, Silent Ransom Group skips the encryption step. Instead, they steal data and threaten to publish it on their leak site if victims don't pay.
The gang emails victims directly with threats. In one message obtained by Google, the hackers wrote: "In case of ignorance or no agreement, We will notify your employees, partners and customers, after which We will publish your data."
This data-theft-only model has become increasingly common among cybercriminals. It's faster to execute, harder to detect, and creates the same pressure on victims who can't afford public exposure of sensitive client information.
Why Law Firms Are Prime Targets
Law firms hold exactly the kind of data that makes extortion effective: privileged client communications, merger details, litigation strategy, and personal financial records. A leak doesn't just embarrass the firm. It can destroy client relationships and trigger malpractice claims.
The physical access tactic works particularly well against professional services firms. Employees expect visits from IT contractors. A confident person with a clipboard and a story about "scheduled maintenance" often gets waved through without verification.
What Security Teams Are Saying
The security community response has been blunt. Discussions on r/netsec and Hacker News emphasize that physical security and cybersecurity can no longer be treated as separate disciplines.
“Organizations must now treat physical security and cybersecurity as a single, integrated discipline; a badge swipe is now a digital attack vector.”
— Cybersecurity Consultant, Industry Defense Forum
Some professionals are advocating for strict physical identity verification protocols for anyone claiming to be IT support. Others recommend disabling USB ports on corporate devices entirely, accepting the inconvenience as a necessary defense against physical data theft.
How to Protect Your Organization
Defending against this threat requires changes to both technical controls and employee behavior. Here's what security teams should prioritize:
- Verify all IT support visits through a separate channel before granting any access
- Require photo ID and confirmation calls to known IT department numbers
- Disable USB ports on workstations or use endpoint protection that blocks unauthorized devices
- Train reception and administrative staff to challenge unfamiliar visitors
- Implement strict visitor logging with escort requirements for non-employees
The FBI's May alert specifically warned organizations to be suspicious of unsolicited IT support calls and visits. If someone shows up claiming to fix a problem you didn't report, that's a red flag.
The Bigger Picture
This campaign represents a significant shift in ransomware operations. Digital defenses have improved enough that some attackers find it easier to walk through the door than to break through the network perimeter.
Mandiant's Carmakal noted the company has seen physical infiltration tactics in other cases over the years. But the scale and coordination of Silent Ransom Group's campaign suggests this approach is becoming a standard playbook item, not just an occasional tactic.
For organizations that have invested heavily in network security while neglecting physical access controls, this is a wake-up call. Your most sophisticated firewall means nothing if an attacker can plug a USB drive into an unlocked workstation.
Logicity's Take
Frequently Asked Questions
What is Silent Ransom Group?
Silent Ransom Group (also tracked as UNC3753) is a cybercriminal gang that steals data from organizations and threatens to publish it unless victims pay. Unlike traditional ransomware groups, they don't encrypt files. They focus on data theft and extortion.
How do fake IT workers gain access to offices?
Attackers first build trust through phishing emails and phone calls pretending to be IT support. They then send someone in person claiming to perform maintenance. Without proper verification, employees often grant these imposters access to workstations.
Why are law firms being targeted?
Law firms hold highly sensitive client data including financial records, contracts, and privileged communications. A data leak can damage client relationships and expose the firm to malpractice liability, making victims more likely to pay extortion demands.
How can organizations defend against physical IT impersonation?
Verify all IT visits through a separate channel before granting access. Require photo ID, disable or monitor USB ports, train staff to challenge unfamiliar visitors, and implement strict visitor logging with escort requirements.
Is this type of attack common?
Physical infiltration has historically been rare compared to digital attacks. However, Google's Mandiant says it has seen this tactic in multiple cases over the years, and the scale of Silent Ransom Group's 2026 campaign suggests it's becoming more mainstream.
Need Help Implementing This?
Source: TechCrunch / Lorenzo Franceschi-Bicchierai
Huma Shazia
Senior AI & Tech Writer
Related Articles
Browse all
Robotaxi Companies Are Hiding How Often Humans Take the Wheel
Autonomous vehicle firms like Waymo and Tesla are under scrutiny for refusing to disclose how often remote operators step in to control their self-driving cars. A Senate investigation reveals major gaps in transparency, raising safety and accountability concerns.
Wisconsin Governor Throws a Wrench in Age Verification Plans
Wisconsin Governor Tony Evers has vetoed a bill that would have required residents to verify their age before accessing adult content online, citing concerns over privacy and data security. This move comes as several other states have already implemented similar age check requirements. The veto has significant implications for the future of online age verification.
Apple's App Store Empire Under Siege: The Battle for the Future of Tech
The long-running feud between Apple and Epic Games has reached a boiling point, with Apple preparing to take its case to the Supreme Court. The tech giant is fighting to maintain control over its App Store, while Epic Games is pushing for more freedom for developers. The outcome could have far-reaching implications for the entire tech industry.
Tesla's Remote Parking Feature: The Investigation That Didn't Quite Park Itself
The US auto safety regulators have closed their investigation into Tesla's remote parking feature, but what does this mean for the future of autonomous driving? We dive into the details of the investigation and what it reveals about the technology. The National Highway Traffic Safety Administration found that crashes were rare and minor, but the investigation's closure doesn't necessarily mean the feature is completely safe.
Also Read
NFC Tags Under Your Nightstand Fix Smart Home Bedtime Woes
Automating a bedtime routine stumps most smart home setups because there's no reliable signal that everyone is ready for lights-out. One user solved this with a pair of NFC tags hidden under each nightstand, requiring both partners to tap before the routine runs.
How to Get Armour in Gothic Remake: Early Game Guide
Gothic Remake throws you into the Colony with nothing but rags on your back. Unlike most RPGs, you won't stumble across armour while exploring. Here's exactly where to find your first protective gear and how much it costs.
3 Open-Source Apps That Replace Your Paid Subscriptions
Subscription fatigue is real. ONLYOFFICE, Jellyfin, and KeePass offer free alternatives to Microsoft 365, streaming services, and password managers. Setup takes a weekend, but the savings are permanent.