Silent Ransom Group Targets 100+ Law Firms Using Fake IT Calls

The Silent Ransom Group (SRG) has struck more than 100 U.S. law firms since early 2023, and its pace accelerated sharply through the first five months of 2026, according to incident data published this week by Mandiant, Google’s threat intelligence unit, paired with a May 26 FBI FLASH advisory that raised the group to its highest urgency classification. SRG deploys no ransomware. The compromised workstation keeps running normally; nothing flags the breach until a ransom email arrives. In many of Mandiant’s investigated incidents, the entire sequence from first phone call to extortion demand closed in a single day.

The campaign traces directly to the March 2022 collapse of the Conti ransomware syndicate, which left behind a callback-phishing unit experienced at convincing corporate employees to hand over remote access. SRG inherited that technique, dropped encryption, and built an extortion model around the sector with the most to lose from public data exposure.

How a Fake IT Call Becomes a Data Breach

The campaign opens with an invoice or billing-themed phishing email, sent from a consumer email account and carrying no malicious links or attachments. Its purpose is purely preparatory: manufacture a plausible reason for a follow-up call.

From there, Mandiant documented a consistent attack sequence across dozens of incidents from January to May 2026:

1. Invoice phishing email arrives clean from a consumer account, directing the recipient to call a provided number to dispute or cancel a charge.
2. The call connects to an attacker posing as the firm’s own IT help desk, citing a pending data migration, a security scan, or follow-up from the phishing email itself as justification.
3. The target is invited to join a remote session via Microsoft Teams, Zoom, Quick Assist, or Microsoft Terminal Services, presented as standard troubleshooting.
4. During the session, the attacker directs installation of legitimate remote monitoring and management (RMM) tools including AnyDesk, Zoho Assist, Bomgar, or SuperOps, establishing persistent access without triggering security alerts.
5. Inside the environment, operators search for contracts, tax records, Social Security numbers, merger and acquisition files, and materials stored on cloud repositories and document management platforms.
6. Data exits the network via WinSCP (Windows Secure Copy) or Rclone, a file-transfer utility the group often renames or hides to reduce detection.

To reduce forensic traces, operators use privnote[.]com, a self-destructing messaging service, to send installation commands during remote sessions so the links don’t linger in browser histories or corporate chat logs. Mandiant also documented phishing domains built on patterns like [organization]-itdesk[.]com and [organization]-helpdesk[.]com, designed to mimic internal support addresses that employees wouldn’t question.

In one confirmed intrusion, a single target took five separate Teams calls over three days as the attacker incrementally expanded remote access. In more than one investigated case, attackers established Zoom sessions on employees’ personal laptops, then used those machines to reach corporate virtual desktop infrastructure via Windows 365 or Citrix clients.

Why Law Firms Are the Primary Target

SRG has focused on U.S. law firms since at least spring 2023. In its June 2026 threat intelligence report on the UNC3753 campaign, Mandiant cited law firms’ “concentrated repositories of extremely sensitive client transaction files” as the primary attraction, noting that their heavy reputational and regulatory exposure motivates quiet resolution over public disclosure. Law firms also store attorney-client privileged communications, M&A documentation, and intellectual property records, giving SRG leverage that is difficult to quantify and hard to neutralize by paying.

The consequences for firms that declined to pay are now on the public record. In January 2026, Orrick, Herrington & Sutcliffe, an international firm with more than $1.5 billion in annual revenue, had its data posted publicly after declining SRG’s demand. Jones Day and Wood Smith Henning & Berman each faced similar exposure in the first quarter. Wood Smith countered SRG’s $1.8 million demand with an offer of $15,000; the group posted the files. As recently as May 6, SRG claimed a breach at Ropers Majeski, a California litigation firm.

Halcyon, a cybersecurity firm, tracked 134 incidents against law firms in Q1 2026 alone, placing legal as the fourth-most targeted industry at more than 6% of all tracked ransomware-related incidents that quarter. SRG and the INC ransomware-as-a-service operation were identified as the primary drivers of that increase.

“The theft of data in and of itself is the biggest issue for the law firms,” said Cynthia Kaiser, senior vice president at Halcyon’s Ransomware Research Center. “They’re tailoring a lot of their operations around what they know about the sector.”

Out of Conti’s Collapse, a Leaner Model

SRG’s direct ancestor is UNC2686, a Mandiant-tracked threat cluster that ran BazarCall-style callback phishing campaigns from early 2021, supplying initial network access to Conti and Ryuk ransomware operators. When Conti disbanded in March 2022, the people behind UNC2686 didn’t retire. They reorganized as Silent Ransom Group, briefly deployed LockBit.Black ransomware that year, and abandoned encryption-based attacks entirely in favor of data-theft extortion.

The group’s earliest lure was a subscription billing email, instructing recipients to call a number to cancel a pending charge. Those calls walked employees into downloading remote access software, laying the operational foundation that the current IT-impersonation approach refined.

The group scaled callback phishing against a broad target set in 2022. Through 2023 and 2024, it industrialized around legitimate RMM tooling and rapid exfiltration, concentrating increasingly on law firms. In 2025, operators shifted toward direct vishing with IT impersonation and lookalike helpdesk domains. The Spring 2026 escalation to physical access followed when remote social engineering started meeting organized employee resistance.

The FBI has made no arrests, noting SRG’s operators are believed to be Russia-based. To carry out English-language vishing calls and in-person visits, researchers told CyberScoop, the group likely employs local gig workers or subcontractors who may not fully understand they’re facilitating a crime.

When the Phone Fails, Knock on the Door

The in-person physical tactic prompted the FBI to issue FLASH-20260526-01 on May 26, its second formal warning about SRG in twelve months and its first at FLASH severity, a classification reserved for active threats requiring immediate action from organizations in the affected sector.

If that attempt fails, SRG sends a threat actor to the victim’s location to gain access to insert a storage device into the victim’s computer.

The FBI described the operative’s cover story: they tell the victim they need to image the device or create a backup file to address potential impacts from the earlier phishing email. Once on-site, the operative connects a USB drive or external hard drive to a workstation, exfiltrates data, and leaves. The FBI noted SRG escalates privileges minimally; the goal is speed, not depth.

Ian Gray, vice president of cyber threat intelligence operations at Flashpoint, a threat intelligence company, called the tactic “extraordinary,” noting that while some extortion groups have threatened employees with physical harm, “we have not observed them physically sending attackers to victim locations.” With SRG’s core operators Russia-based, researchers told CyberScoop the in-person operatives are likely local freelancers recruited through online channels.

Extortion demands arrive fast. Mandiant documented ransom emails appearing within 30 minutes of attackers leaving the victim environment. The three-day deadline SRG sets in its letters gives firms almost no time to assess their exposure before the group threatens to call client contacts directly to announce the breach.

The Botnet Keeping SRG’s Leak Site Online

In a companion report published days after the FBI FLASH alert, Resecurity, a cybersecurity firm, documented the fast-flux botnet infrastructure SRG uses to protect its data leak site from takedowns. The technique cycles a domain’s IP addresses continuously through a pool of compromised residential devices, primarily home routers and connected hardware across multiple regions, making blocking attempts expensive and slow. Fast-flux infrastructure significantly raises the cost of defensive countermeasures, since standard IP-based blocking loses effectiveness against a pool of thousands of rotating residential addresses.

Unlike most ransomware operators who host leak sites on the Tor network, SRG runs its site on the public internet. Resecurity’s analysis noted the clearnet choice lowers the barrier for victims and journalists to access posted data, amplifying reputational pressure. All domain names associated with the infrastructure remained fully operational as of June 5, 2026. The firm also linked the network to a separate underground project called Spy Corporate, which emerged in May 2026 and shares IP addresses with the original SRG infrastructure.

The site lists each published victim with their revenue and the download count for their stolen data, framing the exfiltrated files as browsable corporate intelligence for competitors and adversaries. New entries were added as recently as the first week of June 2026.

• 100+ law firm and professional services attacks claimed since early 2023
• $1 million to $8 million typical extortion demand, scaled to firm revenue
• ~100 victim organizations listed on business-data-leaks[.]com as of early June 2026
• 20+ countries hosting fast-flux botnet nodes across Latin America, Eastern Europe, Central Asia, and East Asia

Stopping Attacks That Look Like Your Own IT Team

Traditional antivirus products are unlikely to flag an SRG intrusion because the group uses legitimate system management and remote access tools throughout. No unusual executables. No malware signatures. The FBI confirmed the same in FLASH-20260526-01: the tools SRG installs are indistinguishable from what a real IT team would deploy.

Mandiant and the FBI recommend building defenses across both digital and physical layers, recognizing that SRG’s playbook exploits gaps in both:

• Establish and communicate a formal procedure for how IT contacts employees; unsolicited calls that don’t follow that procedure should be treated as suspicious by default.
• Require independent callback verification through a known internal number before granting any remote desktop session to an unscheduled caller.
• Audit and restrict which RMM tools are permitted on corporate endpoints, and flag unauthorized installations of AnyDesk, Zoho Assist, Bomgar, or SuperOps.
• Enforce multifactor authentication (MFA) across all employee accounts, particularly those with access to document management systems and cloud repositories.
• Block or restrict USB storage device access on workstations, requiring IT authorization before external media can be connected.
• Apply physical security verification at reception: require identification from anyone claiming to be an IT support visitor, and cross-check against the firm’s own schedule.
• Monitor outbound WinSCP and Rclone connections to external IP addresses as an indicator of possible exfiltration in progress.

A joint advisory from CISA and security agencies in Australia, Canada, New Zealand, and the UK designated fast-flux DNS as a national security concern and called on ISPs and DNS providers to implement detection and blocking measures at the network level.

SRG has told researchers that most of the firms it attacks do pay quietly; the more than 38 whose data landed on its clearnet leak site are the ones that refused.