Even your physical offices aren’t safe from hackers – experts warn that Silent Ransom Group is breaking into businesses to launch ransomware and extortion campaigns

SRG hit dozens of US firms using IT support impersonation, including personal intrusion
Attackers stole data via on-site USB exfiltration and then blackmailed victims
Group linked to BazarCall, Conti and Ryuk, with law firms a primary focus

Hackers known as the Silent Ransom Group (SRG) have targeted various companies in the US, compromising “dozens” between January and May 2026, experts have warned.

Cybersecurity researchers at Google Mandiant and the Google Threat Intelligence Group (GTIG) have echoed warnings shared by the FBI, noting how the hackers, also known as Chatty Spider, Luna Moth or UNC3753, primarily targeted professional, legal and financial services companies.

Their tactics are simple – impersonate the IT department, trick victims into giving access to their computers, then use that access to either install info stealers or steal files on the spot.

Going into offices

In some cases, the hackers would call their victims on the phone and pretend to be IT support – similar to what ShinyHunters used to do last year. However, SRG took the scam to a whole new level by having its members go into their targets’ offices – in the flesh – and use the computers there.

“By sending a person in person to the victim’s location to facilitate the intrusion, SRG actors exfiltrate data to an external hard drive or USB drive that the threat actor has inserted into the victim’s computer,” the FBI said at the time.

Once they steal the data, the attackers begin ransom negotiations and offer to delete the files in exchange for payment. Victims are usually warned that the data will be leaked publicly if they refuse to comply, and a dedicated website has also been created for that purpose.

SRG was first spotted back in 2022, and while it hit organizations in various industries, it is primarily focused on law firms in the United States. Some sources said the group was previously linked to BazarCall campaigns, as well as the Conti and Ryuk ransomware incidents.