Ransomware crews usually hide behind encrypted chats and overseas servers. The Silent Ransom Group, tracked by Google as UNC3753, is increasingly willing to knock on the front door.
The convergence of physical and digital threats has become a defining theme across the technology industry this year, from major shifts in processor manufacturing to brazen on-site corporate intrusions. Google’s Mandiant division and the FBI have issued separate alerts warning that the group, also known as Luna Moth and Chatty Spider, has deployed physical imposters posing as IT support staff to infiltrate US law firms. The in-person intrusions, which occurred between January and May 2026 alongside remote social engineering campaigns, mark a rare escalation in tactics for an operation that has targeted the legal sector since 2023.
In a June 5 report, Google detailed how the group compromised dozens of firms. The fake technicians convinced on-site employees to grant network access, then exfiltrated contracts, Social Security numbers, and financial records via USB devices or remote desktop sessions. The FBI reinforced the warning in a May 26 FLASH alert, noting that the group leans on data-leak threats rather than file encryption, making the breaches quieter and harder to detect until extortion demands arrive. TechCrunch first reported the joint warnings.
What distinguishes this campaign is the deliberate blending of digital and physical deception. While the group still opens many attacks through phishing emails and fraudulent Zoom or Teams screen-sharing requests, failures in remote compromise trigger a backup plan: a real person showing up with a badge and a laptop. An FBI spokesperson confirmed “multiple instances” of these on-site IT impersonations tied to the group.
SRG has been active since roughly 2022, but its law firm focus reflects a calculated bet on high-value, reputation-sensitive data. By skipping encryption entirely, the group avoids the noisy system-wide outages that typically alert incident response teams, instead relying on the threat of publishing stolen files to a dedicated leak site. Google’s Threat Intelligence analysis frames the physical access component as an unusual but effective evolution of insider-style tradecraft. The company has simultaneously pushed into wearable AI hardware this spring, underscoring its wide-ranging research agenda.
The alerts suggest organizations re-evaluate visitor verification protocols with the same rigor applied to email filters. Physical access is no longer a separate concern from ransomware defense; for SRG, it is the final step in a playbook that starts with a phone call and ends with a USB stick left in a conference room.
