Illustration by iStock, *Security Management*

Beware: New Ransomware Scam Uses In-Person IT Tech Impersonators

By Scott Briscoe

28 May 2026

On 26 May, the U.S. Federal Bureau of Investigation (FBI) issued a flash alert warning about a ransomware group that is supplementing social engineering schemes with paid, in-person support. The warning was specifically for U.S. law firms, a favorite target of this particular group.

The Silent Ransom Group (SRG), also known as Luna Moth, Chatty Spider, or UNC3753, has been actively trying to exploit networks of U.S. companies since at least 2022, primarily using phishing and social engineering schemes. The in-person element appears to be a more recent development.

Here is how the scheme works. SRG built a good fake or spoof account that would appear like it is from a target law firm’s IT department. SRG then used the account to either directly call or email the victim, directing them to call an SRG technician, who is posing as IT help. The SRG technician then instructed the victim to allow a remote desktop session. If SRG gained that access, they used it to elevate the victim’s permissions and steal information that they then offered back to the firm for ransom or attempted to sell in illicit markets. If the attempt to gain remote access failed, the attackers moved on to the next potential victim.

But the group has changed their tactics. Now, on a failed attempt, “SRG sends a threat actor to the victim’s location to gain access to insert a storage device into the victim’s computer. In this scheme, the threat actor tells the victim they need to image the device or create a backup file to address potential impacts from the phishing email,” the FBI flash alert explained. The fake tech then proceeds to use a thumb drive or external hard drive to steal information off the machine.

The scheme could be especially effective against remote workers.

The FBI alert does not describe how SRG is able to place individuals into the role of on-site tech support, but a Cyberscoop article on the alert interviewed experts who speculate that the in-person support are freelancers SRG hires to perform the task.

“...With the group’s operators based in Russia, researchers speculate gig workers or subcontractors are playing a critical role by placing voice-based phishing calls in a common language and visiting victims at their workplace,” Cyberscoop reported.

The workers themselves may be tricked into assisting SRG and unaware they are committing a crime. Or, as one expert, Allan Liska, field chief information security officer at Recorded Future, told Cyberscoop, “They may be suspicious, but you know, they need the money.”

The in-person element to the scheme “is unique and places Silent Ransom Group in a completely different mode of operation than its peers in ransomware and data theft extortion,” Cyberscoop reported. “Some aggressive data theft extortion groups have harassed and threatened executives and employees with physical violence, but in-person visits for data theft are extraordinary.”

That process is obviously labor intensive, and that’s one reason SRG targets law firms, which may be willing to pay significant ransoms to ensure information is kept private to avoid potentially catastrophic reputational damage.

The FBI alert also noted SRG is known to target healthcare and financial institutions as well, though it does not say if SRG is using the new, in-person method on victims in sectors other than law firms.

Finally, the FBI alert provided the following recommendations:

• Verify the credentials of all individuals accessing company spaces, including obtaining copies of each visitor’s ID card.

• Limit access to sensitive data from less secure networks, such as home or public Internet.

• Develop and communicate policies regarding when and how IT support will communicate and authenticate themselves to employees.

• Conduct staff training on identifying, resisting, and reporting phishing attempts.

• Maintain regular backups of company data.

• Require phishing-resistant multi-factor authentication (MFA) for as many services as possible.

• If possible, block access to port 22, which enables encrypted remote access, file transfers, and secure command execution on network devices.

• If possible, disable remote access and external drive installation permissions on company computers with access to sensitive or confidential data.

Beware: New Ransomware Scam Uses In-Person IT Tech Impersonators

MOST POPULAR ARTICLES

1. From ‘Send Me the Video’ to Governance: How Privacy Makes Security Systems Defensible

2. Preventing Workplace Violence: Holistic Support Starts with Listening to Nurses

3. 3 Tools Providing Privacy Protections in Video Systems

Complex, Siloed Physical–Digital Identity Management Creates Fragile Security Posture

Court Holds Google Liable for Incorrect AI Answers

Weaponized Compliance: When the Hotline Becomes a Sword

When the Insider Threat Lingers: The Risk That Follows Employment Separations

Insider Risk Management: Lessons from the Polymarket Wagers on the Maduro Raid

Violent Threats on Facebook Quadruple Against U.S. Congressmen After Meta Cuts Back on Enforcement

The Benefit of Converging Physical Security Data with Insider Threat Programs

Today’s Workplace Changes Outpace Current Skill-Building Strategies, Report Finds

Focus on Agentic AI

What is Agentic AI?

Risk vs. Reward: What Security Leaders Need to Know When Using Agentic AI

Defending Against Online Fraud in the Age of Agentic AI

3 Non-Negotiables for CISOs in the Agentic Era

How to Use AI Responsibly to Prevent SOC Analyst Burnout

Best of Security Management

A Cascading Crisis: U.S. Federal Prisons Grapple with Decades of Unsafe Understaffing

The Other Side of the Looking Glass: Providing Security for Marches and Rallies

Is Your Workplace Toxic? Here's What You Need to Do

Preventing Workplace Violence: Holistic Support Starts with Listening to Nurses

What to Add to a Rules of Engagement Document

What is Agentic AI?