When a stranger walks into your office, identifies themselves as IT support, and plugs a USB drive into a workstation while your employee watches, every firewall you own is irrelevant. That is not a hypothetical. On May 26, 2026, the FBI issued a FLASH alert about the Silent Ransom Group (SRG), a Russia-linked extortion operation that has added physical intrusion to its attack chain. The group has claimed more than 100 attacks, with activity surging in recent months.
Law firms in the United States are the documented primary target. But the attack method is not sector-specific, and there is no geographic boundary that keeps this threat south of the 49th parallel.
How the Attack Chain Works
The attack begins on the phone. SRG contacts employees directly, impersonating internal IT support and pressing them to call a fake help desk number or grant remote desktop access to their workstation. Testing whether your people recognize callback phishing before attackers escalate is the difference between catching this at stage one and reaching stage two.
If the phone call fails, SRG does not move on. It sends an operative in person to the victim’s location, claiming the company needs to image the device or create a backup in response to the earlier phishing attempt. The person inserts a USB drive or external hard drive into the workstation and walks out with the data. The FBI’s alert describes this tactic as having no known parallels across the vast cybercrime ecosystem. Traditional antivirus tools will not flag it: SRG uses legitimate remote access software including AnyDesk, Zoho Assist, and Quick Assist throughout the operation, leaving almost no forensic trace. Halcyon tracked 134 ransomware incidents against law firms and legal services in Q1 2026 alone, making legal services the fourth-most targeted sector across all ransomware activity tracked during the period.
The Training Gap No One Is Closing
In our work with mid-market Canadian enterprises, we consistently see security awareness programs that exist on paper but never reach the front-line employees who actually face the attacks. The gap between policy and practice is where incidents like this one are born.
Standard security awareness training covers phishing emails and weak passwords. Almost none of it addresses what an employee should do when someone calls claiming to be from IT, or when a stranger arrives at their desk with a story about backing up the system. Joe Slowik, director of cybersecurity alerting strategy at Dataminr, framed the problem precisely: “Humans in the workplace need to implicitly trust others to get their jobs done.” Starting with an honest assessment of where your training coverage actually stands is often how organisations discover that the employees most likely to receive this kind of call have never been trained on phone-based social engineering at all.
Concrete Steps for This Week
The FBI’s recommendations from the May 26 alert are direct. Write a formal policy describing how your IT team will identify themselves before requesting access, and make sure every person in your organisation knows it. Enable phishing-resistant MFA on all services. Disable external drive permissions on workstations that handle sensitive or client data. If someone arrives claiming to be IT support, your staff should verify their identity against the internal IT contact list before allowing any interaction with equipment.
The SRG attack chain succeeds because it exploits the moments when being cooperative feels like the right thing to do. A security awareness program that accounts for human risk in its full shape, including the moment someone walks through your door, changes that calculation before anyone has to make the wrong call.
Sources
- FBI FLASH Alert: Silent Ransom Group Impersonating IT Personnel through Social Engineering, May 26, 2026
- CyberScoop: FBI warns US-based law firms to be on the lookout for cybercrime group that steals data in person, May 27, 2026
- Help Net Security: Hackers are knocking on office doors pretending to be IT staff, May 27, 2026
