Google and the FBI have warned that a ransomware group called the Silent Ransom Group is escalating its attacks on U.S. law firms. In addition to common phishing emails and social engineering, the group has, in some cases, sent people posing as IT support staff to enter victims' offices, directly access computers, and steal data.

The attack escalated from remote deception to in-person contact.

In a recent report, Google's Mandiant and Google Threat Intelligence Group stated that between January and May of this year, the group launched attacks against dozens of victims, using methods including obtaining access through "offline, face-to-face contact."

The FBI also issued an alert last month stating that the group impersonates corporate IT support personnel, guiding employees to cooperate via phone calls and emails. In some cases, the imposters even entered offices, accessed employee devices, and used USB storage devices or remote access tools to transfer data.

The target data includes contracts, taxes, and personal information.

According to disclosures by Google and the FBI, the stolen information included personally identifiable information such as contract documents and Social Security numbers, as well as financial and tax records. This data was subsequently used for blackmail.

Unlike traditional ransomware, this type of attack does not necessarily encrypt the victim's system. A more common tactic used by this group is to steal data first, then threaten to publicly disclose it and demand payment from the victim.

• Attack period: January to May 2026
• Primary targets: US law firms and other institutions
• Common methods: impersonating IT support, screen sharing, USB theft, remote takeover

Theft is carried out after establishing trust through "security concerns".

Google says attackers typically contact employees under the guise of handling security incidents or assisting with corporate data migration, then lure them into joining screen-sharing sessions. The attackers then persuade victims to download and open screen-sharing software, or directly exploit built-in features in applications such as Zoom and Microsoft Teams to gain control.

Google stated that these cases demonstrate that some hackers are combining traditional cyberattacks with real-world physical contact, further increasing the difficulty for businesses to protect themselves. The risks of such impersonation attacks are particularly pronounced for organizations that rely on external IT support and have weak internal verification processes.