Silent Ransom Group Turns IT Support Into The Breach Path

The FBI's May 26, 2026 FLASH alert says Silent Ransom Group, also tracked as Luna Moth, Chatty Spider, and UNC3753, is targeting U.S. law firms through social engineering. The group poses as IT support by phone or phishing email, pushes employees toward remote desktop access, and in some cases sends someone to the victim's location to gain physical access and insert a storage device.

Google's June 5 Mandiant reporting adds current private-sector context: UNC3753 activity against U.S. legal, financial, and professional services organizations has continued through the first half of 2026. This is not a normal malware outbreak. The breach path is a trusted workflow: help desk contact, remote support software, cloud file transfer, office visitor access, and employee willingness to cooperate with someone who sounds like internal IT.

The FBI's FLASH-20260526-01 describes SRG as active since at least 2022 and focused on data theft and extortion rather than conventional ransomware encryption. The alert says the group has consistently targeted U.S.-based law firms since Spring 2023 and has also victimized companies in insurance, finance, and healthcare. The current scheme centers on impersonating IT support through calls, phishing emails, and sometimes an in-person visitor.

The access path is direct. The actor persuades an employee to grant a remote desktop session, often after presenting the interaction as IT support or a response to a phishing concern. If that attempt fails, the FBI says SRG may send an individual to the office who claims they need to image the device or create a backup file. Once access is obtained, the group moves quickly to data exfiltration, using tools such as WinSCP, renamed Rclone, cloud storage, external drives, or USB drives.

Internal IT support is supposed to be trusted. Employees are trained to cooperate when IT calls, screen sharing is normal in many support workflows, and remote management tools often have legitimate business reasons to exist. SRG is exploiting that trust. The technique does not need a zero-day vulnerability if the employee accepts the caller's authority and the workstation allows a new remote support session.

That makes the control problem operational, not only technical. A company can have phishing-resistant MFA and still lose data if a user is talked into installing an unapproved support tool and sharing a live session. A company can have endpoint detection and still miss a short exfiltration window if the tools are common business software and the files are copied to familiar cloud services. The issue is not that help desks are bad. The issue is that unverified help desk contact has become a high-value attack surface.

The in-person element is the part that should reset assumptions for professional services firms. Many security programs treat office entry as a facilities issue and remote intrusion as a security operations issue. SRG collapses that divide. A person with a plausible IT story, a visitor badge, and a USB drive can create an incident that looks like routine support until client data has already left the building.

That does not mean every office needs airport-style screening. It does mean visitor controls must be tied to identity and ticketing. If someone claims to be IT, reception and employees should have a simple path to verify the person's name, employer, work order, sponsor, and exact device scope through an internal channel the visitor does not control. Sensitive workstations should not permit arbitrary external storage. Exceptions should be logged, time-bound, and tied to a known maintenance event.

The FBI warns that recent SRG campaigns can leave few artifacts and that traditional antivirus may not flag the activity because the group uses legitimate system management or remote access tools. That is a useful constraint for defenders. Detection should not label every copy of AnyDesk, RustDesk, Splashtop, Atera, Syncro, Zoho Assist, Quick Assist, WinSCP, or Rclone as malicious. It should ask whether that tool is approved on that host, installed by an expected user, launched during a known support ticket, and moving data in a normal direction.

High-signal detections include new remote access tools on legal or finance workstations, Rclone or WinSCP connections from endpoints that do not normally use them, unexpected outbound SFTP over port 22, large file reads followed by cloud upload, and new USB storage events on machines that handle privileged or client-sensitive material. These signals should be correlated with help desk tickets, call records, visitor logs, badge records, and employee reports. A cyber incident here may begin as a phone call and end as a storage-device event.

The immediate work is to publish and practice an IT support authentication rule. Employees should know how internal IT will contact them, what IT will never ask them to do, how to verify a caller, and what to do if the caller insists the matter is urgent. The process has to be short enough to use under pressure. A policy buried in a handbook will not help when a caller is already directing an employee through a screen-sharing setup.

Next, reduce tool sprawl. Maintain an allowlist of approved RMM and remote support tools, block or alert on unapproved installers, and require administrative approval for new remote access utilities. Disable or restrict removable media on sensitive workstations where practical. Review whether workstation users can install software, map cloud drives, or run portable binaries without review. For firms that regularly handle litigation, M&A, healthcare, insurance, or regulated client data, these controls are not optional hygiene. They are part of client confidentiality.

Public sources do not identify specific current victims, the full success rate of in-person attempts, or whether every physical intrusion attributed in public reporting has the same forensic confidence. Google/Mandiant's current reporting links recent legal-sector targeting to UNC3753 activity, while the FBI alert gives the operational warning and indicators. Those layers should be read together but not blurred into claims beyond the evidence.

The right response is proportional. Organizations do not need to ban every remote support workflow. They do need to make remote support verifiable, auditable, and revocable. They also need an incident path for a workstation that may have been touched by a fake IT visitor: isolate it, preserve logs, collect USB and remote access artifacts, scope accessed files, review cloud uploads, notify counsel, and report useful details to the FBI when legally appropriate.