Hackers are turning up to victim's work dressed as IT support to install malware in-person, FBI warns

News
By published

Someone has been watching too many Blacklist episodes

A hand about to touch a phone. Superimposed on top of it is a pink triangle with exclamation mark inside it. Behind it is a computer display with code on it
(Image credit: Getty Images)
  • FBI warned about Silent Ransom Group (SRG), a threat actor impersonating IT staff to steal files and plant malware directly at victim offices
  • SRG, also known as Luna Moth/Chatty Spider/UNC3753, primarily targets US law firms, starting with vishing calls and escalating to in‑person intrusions with external drives
  • Active since 2022 and linked to BazarCall, Conti, and Ryuk campaigns, SRG extorts victims via ransom emails, pressure calls, and a leak site naming and shaming non‑payers

The Federal Bureau of Investigation (FBI) is warning about hackers showing up at people’s offices, pretending to be IT support. They sit at people’s desks, pull all sensitive files into an external drive and leave malware behind, all while pretending to be fixing a technical problem.

In a newly released flash alert, the FBI says this cheeky attack is being done by a threat actor calling itself the Silent Ransom Group (SRG). This threat actor, active for roughly four years now, starts their attack with a phone call.

They mostly target US-based law firms and first try to get the victim to install a remote desktop management solution and grant them access. If that attempt fails, they will come, in person, carrying flash drives, external disks, and other equipment needed to execute the attack. Once they steal the files, they’ll quietly escalate privileges and step away, engaging in extortion at a later date:

Latest Videos From

Chatty Spider

“By sending someone in-person to the victim’s location to facilitate the intrusion, SRG actors exfiltrate data to an external hard drive or USB drive inserted by the threat actor into the victim’s computer,” the FBI explained. “SRG actors use the exfiltrated victim data to extort the victim by sending a ransom email threatening to sell or post the data online. SRG actors also call employees or clients of a victim company to pressure the victim to begin ransom negotiations.”

Finally, the crooks have their own data leak website where they name-and-shame, in order to pressure the victims into paying the ransom demand.

SRG is also known as Luna Moth, Chatty Spider, and UNC3753, the FBI further explained. The group was first seen back in 2022, and while it struck organizations in different industries, it is primarily focused on law firms in the US. According to BleepingComputer, this group was previously linked to BazarCall campaigns, as well as Conti and Ryuk ransomware incidents.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.