The FBI issued a FLASH alert on May 26, 2026 confirming that the Russia-linked Silent Ransom Group (SRG) has escalated its long-running campaign against U.S. law firms by physically dispatching operatives into firm offices under the guise of IT support. More than 38 victim firms have already had data published on SRG's leak site, with researchers tracking over 100 total intrusions and a sharp activity surge in early 2026.
What Happened
SRG, active against the legal sector since 2023, has shifted from purely remote social engineering to hybrid operations that include on-site impersonation. According to the FBI's second SRG warning in 12 months and its first FLASH-level advisory on the actor, when phone or email pretexts fail to secure remote desktop access, the group dispatches a human operative to the victim's premises to plug storage media directly into employee workstations. The tactic is described as a Spring 2026 development and is active now.
Confirmed 2026 victims posted to the leak site include Orrick, Herrington & Sutcliffe (a global firm with 25+ offices and $1.5B+ annual revenue), Jones Day, Wood Smith Henning & Berman, and most recently Ropers Majeski, claimed on May 6, 2026. Orrick's data was published after the firm refused to pay.
What Was Taken
The FBI alert and public leak site disclosures indicate SRG exfiltrates bulk client files, matter documents, and internal firm data using legitimate file-transfer utilities. Targeted material in law firm environments typically includes privileged attorney-client communications, litigation work product, M&A and transactional records, regulatory and compliance files, and personally identifiable information tied to clients and employees. Volume is not disclosed firm-by-firm, but the sensitivity is uniformly high: legal data carries direct extortion leverage, regulatory exposure, and downstream third-party risk for the firms' corporate clients.
Why It Matters
Law firms sit on concentrated, high-value adversarial leverage: deal flow, litigation strategy, executive correspondence, and regulated personal data belonging to thousands of downstream clients. SRG's pivot to physical intrusion collapses a defensive layer most firms have invested in heavily over the past five years: perimeter and identity controls assume the attacker is remote. A human standing at a paralegal's desk with a USB drive bypasses MFA, conditional access, EDR network telemetry on lateral movement, and most phishing-resistant authentication. For a sector where one stolen matter file can rupture client trust and trigger bar complaints, this raises the floor on what "reasonable security" means.
The FBI's choice to elevate this actor to FLASH severity also signals that federal investigators expect the campaign to broaden beyond Am Law 100 firms to mid-market and regional practices that lack 24/7 SOC coverage or hardened visitor controls.
The Attack Technique
The intrusion chain begins remotely. SRG operatives initiate contact by phone or phishing email impersonating the firm's internal IT department, often referencing a recent security alert or scheduled maintenance window. The victim is pressured to open a remote desktop session so the "technician" can "image the device or create a backup file."
When the remote gambit fails, whether because an employee hangs up, escalates internally, or refuses the session, SRG does not abandon the target. As the FBI states directly: "If that attempt fails, SRG sends a threat actor to the victim's location to gain access to insert a storage device into the victim's computer." The operative arrives in person, again claims to be IT support, and connects a USB drive or external hard drive to an unlocked workstation.
Exfiltration is performed with WinSCP and a renamed or disguised build of Rclone, both legitimate utilities that routinely evade antivirus signature detection. Privilege escalation is kept minimal. The objective is speed of theft rather than persistence, lateral movement, or encryption deployment, consistent with SRG's data-extortion-only model.
What Organizations Should Do
- Establish a strict IT verification protocol. Require every employee to validate inbound IT contact through a known internal channel (callback to a published help desk number, Teams/Slack DM from a verified IT identity) before initiating any remote session or accepting on-site assistance.
- Lock down physical access. Enforce visitor escort, badge-only entry to office floors, and a written check-in process for any third-party technician. Train reception and floor staff to refuse access to "IT contractors" who lack a confirmed internal ticket.
- Disable or restrict USB mass storage. Apply device control policies via EDR or group policy to block unauthorized removable media on attorney and staff endpoints; alert on any new USB storage enumeration.
- Hunt for SRG tooling. Generate detections for WinSCP and Rclone execution, including renamed binaries (hash-based and behavior-based detection of large outbound transfers to cloud storage endpoints).
- Egress monitoring. Baseline normal outbound data volume per endpoint and alert on sudden large transfers to external SFTP, WebDAV, or cloud storage providers, especially outside business hours.
- Tabletop the physical scenario. Run a red-team or tabletop exercise that includes an in-person social engineer attempting to reach a workstation, and validate that reception, IT, and security operations escalate rather than accommodate.
- Lock screens and enforce short idle timeouts. A locked workstation defeats the USB-insertion endgame even if the operative reaches the desk.
Sources: Silent Ransom Group Sends Operatives Into Law Firm Offices: 38 Firms Already Leaked