A ransomware gang has escalated its attacks on law firms by sending fake IT workers to enter victims’ offices physically. The imposters steal data directly from computers using USB drives — or help other gang members connect remotely. The FBI and Google have both confirmed it.
On Friday, Mandiant and Google Threat Intelligence Group published a report documenting how the Silent Ransom Group carried out physically assisted attacks against dozens of targets in the first five months of this year.
Mandiant CTO Charles Carmakal confirmed the tactic had appeared in previous investigations but had never been documented at this scale from a single organised group.
READ: Scientists Built an Unstoppable AI Worm. On Purpose
How the Silent Ransom Group Runs Its Physical Attack
The attack starts like most social engineering campaigns — a phishing email or a phone call. Imposters contact employees claiming to be internal IT support, resolving a phishing complaint, or helping with a data migration. They build enough trust to get a foot in the door. Then they make it literal.
Once inside, the fake IT workers connect to employees' computers, plug in USB drives, and exfiltrate documents, including contracts, client personal data, and financial records.
According to Google's researchers, the attackers also use screen-sharing applications and built-in features in tools like Zoom or Microsoft Teams to pull data remotely once physical access is established.
READ: Anthropic Raises $65B, Overtakes OpenAI at $965B Valuation
Why Law Firms Are the Primary Target
The Silent Ransom Group has focused on US law firms since 2023. The reason is straightforward: the data inside them is extraordinarily sensitive and extraordinarily valuable. Client communications, litigation strategy, merger details, intellectual property filings, and personal financial records sit inside the same systems.
This gang does not encrypt files. It steals them. The group runs a leak site, business-data-leaks[.]com, where stolen data gets published if victims refuse to pay. In messages sent directly to victims, the hackers are explicit: "In case of ignorance or no agreement, we will notify your employees, partners, and customers, after which we will publish your data."
That combination of physical intrusion, social engineering, and public exposure pressure removes several defenses organisations typically rely on. Antivirus software does not flag a human being carrying a USB drive. Firewalls do not stop someone already sitting at a terminal.
READ: AI Is Creating More Cybersecurity Jobs Than It Kills
What Organisations Must Do Now
The FBI's recommendations are specific. Verify the identity of every person accessing company premises through official internal channels, not the contact number the caller provides. Train staff to treat unsolicited IT support contact as suspicious by default. Restrict USB and external drive permissions on sensitive systems. Require phishing-resistant multi-factor authentication across all accounts. Maintain regular, offline backups.
One fix matters more than the rest: build a verification protocol where any IT request, internal or external, requires a second confirmation through a known, trusted channel. A phone call from an unknown number is not that channel.
The attack removes the line between physical security and cybersecurity. Organisations that treat them as separate problems are already behind.
