Even your physical offices are not safe from hackers: experts warn against Silent Ransom Group breaking into businesses to launch a ransomware and extortion campaign.

SRG attacked dozens of U.S. companies by impersonating IT support, including in-person intrusions.
The attackers stole data via on-premises USB exfiltration and then extorted their victims.
Group linked to BazarCall, Conti and Ryuk, with the main objective being law firms

Hackers known as the Silent Ransom Group (SRG) targeted different companies in the United States, compromising “dozens” between January and May 2026, experts have warned.

Cybersecurity researchers at Google Mandiant and Google Threat Intelligence Group (GTIG) echoed the warnings shared by the FBI, emphasizing that the hackers, also known as the Chatty Spider, Luna Moth or UNC3753, primarily targeted professional, legal and financial services companies.

Their tactic is simple: impersonate the IT department, trick victims into granting access to their computers, and then use that access to either deploy information thieves or steal files on the spot.

Enter the offices

In some cases, hackers would call their victims on the phone and pretend to be IT support – like what ShinyHunters used to do last year. However, the SSR took the scam to a whole new level by having its members enter their targets’ offices – in the flesh – and using the computers on site.

“By sending someone in person to the victim’s home to facilitate the intrusion, SRG actors exfiltrate data to an external hard drive or USB drive inserted by the threat actor into the victim’s computer,” the FBI said at the time.

Once the data is stolen, the attackers begin ransom negotiations, offering to delete the files in exchange for payment. Victims are usually warned that their data will be publicly disclosed if they refuse to comply, and a dedicated website is also created for this purpose.

SRG was first seen in 2022, and while it has affected organizations across different industries, it is primarily focused on law firms in the United States. Some sources said the group was previously linked to the BazarCall campaigns, as well as the Conti and Ryuk ransomware incidents.