FBI: Hackers Sending Operatives in Person to Insert USB Drives and Steal Data
The FBI has issued an alert about the Silent Ransom Group (SRG) targeting law firms primarily in the US by impersonating IT support to gain access to systems. The attackers use social engineering, including phishing and phone calls, to convince employees to grant remote access or, if unsuccessful, send operatives in person to insert USB drives or external devices into victim computers. After gaining access, SRG escalates privileges and exfiltrates data using legitimate tools like WinSCP or Rclone, often avoiding ransomware deployment. The group then extorts victims by threatening to publish or sell stolen data. Traditional antivirus solutions are unlikely to detect these intrusions due to the use of legitimate system tools. The FBI recommends verifying credentials, limiting access, employee training, and disabling remote access and external drive permissions to prevent such attacks.
AI Analysis
Technical Summary
Silent Ransom Group (SRG) has evolved its tactics to target law firms by impersonating IT support personnel. They initiate attacks through phishing and social engineering to gain remote desktop access. If remote access attempts fail, SRG sends operatives physically to victim locations to insert USB or external drives under the guise of IT maintenance. Once inside, they escalate privileges and exfiltrate sensitive data using legitimate file transfer tools such as WinSCP and Rclone, sometimes copying data to cloud platforms like Google Drive or OneDrive. The group avoids ransomware deployment, focusing instead on data theft and extortion. These attacks leave minimal forensic artifacts and evade traditional antivirus detection. The FBI alert emphasizes the need for strict verification of IT support personnel, access controls, and employee awareness to mitigate these threats.
Potential Impact
SRG's attacks result in unauthorized access to sensitive data of law firms, leading to data exfiltration without ransomware encryption. The stolen data is used for extortion, threatening to publish or sell confidential information, which can cause reputational damage, financial loss, and legal consequences for victims. The use of legitimate tools and in-person device insertion complicates detection and response efforts. The attacks specifically target law firms, impacting confidentiality and client trust.
Mitigation Recommendations
The FBI recommends verifying the credentials of all individuals requesting access to company assets, especially those claiming to be IT support. Organizations should limit access to sensitive data and implement strict policies for IT support communication and authentication. Employee training to recognize phishing and social engineering attempts is critical. Additional measures include backing up all company data, implementing phishing-resistant multi-factor authentication (MFA), blocking access to commonly exploited ports, and disabling remote access and permissions for external drive installation. These steps help prevent unauthorized access and data exfiltration by SRG. There is no mention of a patch or official fix, so these mitigations focus on procedural and technical controls.
FBI: Hackers Sending Operatives in Person to Insert USB Drives and Steal Data
Description
The FBI has issued an alert about the Silent Ransom Group (SRG) targeting law firms primarily in the US by impersonating IT support to gain access to systems. The attackers use social engineering, including phishing and phone calls, to convince employees to grant remote access or, if unsuccessful, send operatives in person to insert USB drives or external devices into victim computers. After gaining access, SRG escalates privileges and exfiltrates data using legitimate tools like WinSCP or Rclone, often avoiding ransomware deployment. The group then extorts victims by threatening to publish or sell stolen data. Traditional antivirus solutions are unlikely to detect these intrusions due to the use of legitimate system tools. The FBI recommends verifying credentials, limiting access, employee training, and disabling remote access and external drive permissions to prevent such attacks.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Silent Ransom Group (SRG) has evolved its tactics to target law firms by impersonating IT support personnel. They initiate attacks through phishing and social engineering to gain remote desktop access. If remote access attempts fail, SRG sends operatives physically to victim locations to insert USB or external drives under the guise of IT maintenance. Once inside, they escalate privileges and exfiltrate sensitive data using legitimate file transfer tools such as WinSCP and Rclone, sometimes copying data to cloud platforms like Google Drive or OneDrive. The group avoids ransomware deployment, focusing instead on data theft and extortion. These attacks leave minimal forensic artifacts and evade traditional antivirus detection. The FBI alert emphasizes the need for strict verification of IT support personnel, access controls, and employee awareness to mitigate these threats.
Potential Impact
SRG's attacks result in unauthorized access to sensitive data of law firms, leading to data exfiltration without ransomware encryption. The stolen data is used for extortion, threatening to publish or sell confidential information, which can cause reputational damage, financial loss, and legal consequences for victims. The use of legitimate tools and in-person device insertion complicates detection and response efforts. The attacks specifically target law firms, impacting confidentiality and client trust.
Mitigation Recommendations
The FBI recommends verifying the credentials of all individuals requesting access to company assets, especially those claiming to be IT support. Organizations should limit access to sensitive data and implement strict policies for IT support communication and authentication. Employee training to recognize phishing and social engineering attempts is critical. Additional measures include backing up all company data, implementing phishing-resistant multi-factor authentication (MFA), blocking access to commonly exploited ports, and disabling remote access and permissions for external drive installation. These steps help prevent unauthorized access and data exfiltration by SRG. There is no mention of a patch or official fix, so these mitigations focus on procedural and technical controls.
Technical Details
- Article Source
- {"url":"https://www.securityweek.com/fbi-hackers-sending-operatives-in-person-to-insert-usb-drives-and-steal-data/","fetched":true,"fetchedAt":"2026-05-27T08:48:33.889Z","wordCount":1154}
Threat ID: 6a16afe1e29bf47b50aab020
Added to database: 5/27/2026, 8:48:33 AM
Last enriched: 5/27/2026, 8:48:40 AM
Last updated: 5/27/2026, 8:48:58 AM
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.