The FBI has warned law firms to beware of in-person intrusions by members of the Silent Ransom Group (SRG).
While usually content to exfiltrate data remotely, often via social engineering and use of remote access tools, in some instances, a member of the group actually shows up on the victim’s doorstep.
“SRG actors use WinSCP (Windows Secure Copy) or a hidden or renamed version of ‘Rclone’ to exfiltrate data. SRG actors also exfiltrate data to internal file-sharing platforms such as Google Drive or Microsoft OneDrive,” the FBI said in a 26 May flash.
“By sending someone in person to the victim’s location to facilitate the intrusion, SRG actors exfiltrate data to an external hard drive or USB drive inserted by the threat actor into the victim’s computer.”
According to the FBI, SRG has targeted a range of sectors, but has been particularly focused on law firms in the US since 2023.
The group’s members commonly pose as tech support personnel within the victim’s organisation, either calling the victim directly or contacting them via email. Once contact is made, the threat actor convinces an employee to set up a remote desktop session.
“If that attempt fails, SRG sends a threat actor to the victim’s location to gain access to insert a storage device into the victim’s computer,” the FBI said.
“In this scheme, the threat actor tells the victim they need to image the device or create a backup file to address potential impacts from the phishing email.”
Regardless of whether data is exfiltrated remotely or in person, SRG forgoes data encryption in favour of more direct extortion, either threatening the company – and in some cases, individual employees – that its data will be published online, or sold on the dark web, if a ransom isn’t paid.
In some cases, SRG has also been observed calling a victim’s customers or clients to pressure the victim.
Unfortunately, SRG’s tactics tend to leave behind little forensic evidence of an intrusion.
“Traditional antivirus products are also unlikely to flag the intrusion because SRG generally uses legitimate system management or remote access tools to carry out the attack,” the FBI said.
“Use of these tools should not be attributed as malicious without analytical evidence to support they are used at the direction of, or controlled by, SRG actors.”
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.