Most cyberattacks happen from thousands of miles away. A hacker in a basement. A phishing email from a foreign server. You expect the threat to come through your network.
But what if the threat walked through your front door?
That’s exactly what the FBI warned about on May 27, 2026. A Russia-linked extortion gang called the Silent Ransom Group (SRG) has escalated its attacks to include sending real people, in person, to plug USB drives into company computers and walk out with your data.
FBI Flash Alert — May 27, 2026
The FBI issued an urgent warning that SRG is now targeting U.S.-based law firms and businesses using a combination of social engineering and in-person intrusion. Over 38 firms have already had data published on SRG’s public leak site, with researchers estimating more than 100 total attacks.
Who Is the Silent Ransom Group?
SRG (also known as Luna Moth) has been active since 2022, originally spun out of the Conti ransomware network after it collapsed. They target law firms, financial companies, insurance organizations, and healthcare businesses across the U.S. What makes them different from traditional ransomware groups: they don’t encrypt your systems. Your computers keep running. Your team keeps working. The attack is completely invisible until a ransom email lands in your inbox threatening to publish everything they took unless you pay.
How the Attack Works (Step by Step)
The FBI’s flash alert lays out a clear attack chain. Here’s how SRG gets in:
- Step 1 — The call or email: An employee gets a phone call or phishing email that looks like it’s from their own IT department, flagging an urgent issue that needs to be resolved immediately.
- Step 2 — Remote access: The fake IT rep asks the employee to grant access to a remote desktop session. Once in, they quickly pull data using tools like WinSCP or Rclone — no encryption, no locked screens, no alerts.
- Step 3 — If that fails, they show up: SRG sends a person, physically, to the victim’s location. That person poses as an IT support technician, gains access to a workstation, and plugs in an external hard drive or USB drive to steal data on the spot.
After exfiltration, victims receive a ransom demand threatening to sell or publicly post the stolen data. Attackers have also been known to call a company’s own employees and clients to add pressure.
Warning Signs to Watch For
The FBI specifically flagged these indicators that an SRG attack may be underway:
- Unsolicited calls or emails from someone claiming to be IT support, especially if they’re asking for remote access
- Unidentified or unauthorized individuals at your office claiming to be IT technicians
- USB drives or external hard drives being connected to company computers without prior approval
- Unusual data transfers or activity on file-sharing tools like Google Drive or Microsoft OneDrive
- WinSCP or Rclone activity on machines where those tools were never installed
What Small Businesses Should Do Right Now
This attack works because it exploits trust — in technology and in people. Here’s how to defend against it:
- Verify IT requests through a known internal number before granting any remote access. A call claiming to be from IT is not proof that it is. Always call back on a number you already have on file.
- Establish a visitor policy. Anyone who shows up and claims to be a technician should be verified before they touch a single machine. Call the vendor directly using a number you have — not one they hand you at the door.
- Disable USB ports on workstations where external drives aren’t part of normal operations. Your managed IT provider can configure this centrally.
- Monitor remote access tools. If WinSCP or Rclone appears on a machine where it wasn’t installed, treat it as an active incident.
- Make it safe to say no. Employees should feel empowered to question anyone asking for access — even someone who sounds authoritative.
Straight Talk from Eagle
The SRG playbook is a reminder that cybersecurity is not just a technology problem. It’s a people problem. Your firewall won’t stop someone who’s already standing at a desk. Your antivirus won’t catch a USB drive being plugged in by a person your employee trusted.
At Eagle, we help businesses across New Hampshire and Maine build layered defenses that cover both sides: the technical controls that limit what an attacker can do, and the security awareness training that helps your team recognize when something isn’t right.
If you want a straightforward look at how your business is protected — or you’re not sure — we’re here.
What Eagle Clients Should Expect From Us
We want our clients to feel confident any time an Eagle technician shows up at your door. Here’s what you can always count on:
- Our field technicians have ID badges that should be worn and visible on every visit.
- If you don’t see it, ask to see it. Our website contains photos and first names of all our Technicians.
