Silent Ransom Group: FBI Warns of In-Person Data Theft at Law Firms

The Federal Bureau of Investigation (FBI) has issued a warning regarding a significant shift in TTP employed by the extortion gang known as Silent Ransom Group (SRG), also identified as Luna Moth. According to BleepingComputer, these attackers are now conducting in-person data theft operations against law firms across the United States. This tactical evolution indicates a move away from purely remote Phishing or software exploitation toward physical compromise to bypass perimeter defenses.

The Shift to In-Person Data Exfiltration

Unlike traditional Ransomware groups that rely on malicious attachments or credential harvesting, the Silent Ransom Group is reportedly sending operatives to physical office locations. These individuals attempt to gain unauthorized access to the premises, often by tailgating legitimate employees or utilizing social engineering techniques to deceive reception and security personnel. Once inside, the goal is to obtain direct access to the internal network.

Technicians or “field agents” for the group reportedly deploy hardware such as USB drives or small form-factor devices like Raspberry Pis to establish a C2 channel. This allows the group to conduct Lateral Movement across the network while circumventing the EDR solutions that might typically flag suspicious inbound traffic from external IPs. Identifying how to detect Silent Ransom Group physical intrusion requires a focus on unexpected hardware changes and anomalies in internal traffic patterns that do not correlate with standard business hours.

Targeting the Legal Sector

Law firms are particularly lucrative targets for this group due to the nature of the data they possess, including intellectual property, sensitive litigation strategies, and personally identifiable information (PII). By gaining physical access, the group can target specific high-value workstations belonging to partners or senior counsel. The FBI’s warning suggests that the group is focused on data theft for extortion purposes rather than data encryption. This “silent” approach allows them to exfiltrate massive volumes of data before the SOC even identifies a breach.

Silent Ransom Group Mitigation Steps for Law Firms

Defending against a threat that transitions from the digital to the physical realm requires a unified security posture. Organizations should audit their physical access control systems and ensure that all entry points are monitored and logged. Security awareness training should be updated to include scenarios involving “social engineering in the lobby,” where attackers may pose as maintenance workers, delivery drivers, or IT contractors.

From a technical perspective, the SIEM should be configured to alert on any new device connections to the network that do not match the organization’s hardware whitelist. Implementing Zero Trust principles is also a priority; even if an attacker manages to plug a device into a physical Ethernet port, they should be met with strict network access control (NAC) requirements that mandate device authentication and Privilege Escalation prevention.

Monitoring and Detection Strategies

To align with the MITRE ATT&CK framework, defenders should focus on the “Initial Access” and “Exfiltration” stages. The FBI advisory on SRG extortion attacks highlights the need for rigorous monitoring of outgoing traffic to known file-sharing services or unusual IP ranges. Because the group often uses legitimate remote desktop tools once they have established a foothold, security teams must monitor for the unauthorized installation of software like AnyDesk or TeamViewer.

In summary, the transition to physical data theft represents a calculated effort by SRG to stay ahead of automated security tools. Effective Silent Ransom Group mitigation steps for law firms must integrate physical perimeter defense with granular internal network monitoring to identify and neutralize the threat before data reaches external actors.