Skip to main content

Someone walks into a US law firm’s reception in April 2025. They tell the receptionist they are from the firm’s IT service provider, on-site for a scheduled visit. The receptionist shows them to a workstation. Within minutes an external drive is in the USB port, and confidential client data is being copied off the network. The visitor leaves. Weeks later, the firm receives a $20 million extortion demand.

The Federal Bureau of Investigation confirmed this pattern as an active campaign on 26 May 2026 in FLASH advisory FLASH-20260526-01. It is one of three concurrent stories that have landed on law firms over the past twelve months. The others are the class action filed against Pillsbury Winthrop Shaw Pittman over an April 2025 data breach that exposed names, dates of birth, addresses, Social Security numbers, and financial account information, and the general trend, catalogued by CISA and the American Bar Association, of law firms sitting near the top of the professional services ransomware target list.

The three stories are linked. This piece walks through what is happening, why the legal sector is where it is happening, and what the practical implications are for firms of any size that hold privileged client data.

Key takeaways

  • The Silent Ransom Group (also known as Luna Moth, Chatty Spider, or UNC3753) has been targeting US law firms since spring 2023 and evolved its methodology through three phases: callback phishing (2022), voice phishing (early 2025), and in-person IT impersonation (April 2025 onwards).
  • The FBI confirmed the physical intrusion pattern as active in a 26 May 2026 FLASH advisory. Firms have received extortion demands as high as $20 million.
  • The Pillsbury class action shows the downstream cost. Even a firm with a mature cybersecurity practice and a well-known CISO is now defending itself in court over a breach and a delayed notification.
  • Law firms concentrate high-value privileged data (M&A, litigation strategy, IP, client PII) but historically run softer perimeters than the financial services clients they advise.
  • The cyber programme and the physical security programme have to work together. Silent Ransom’s approach specifically exploits the gap between them.

The three stories

The data breach and the class action. Pillsbury Winthrop Shaw Pittman is a large international law firm with a well-known cybersecurity and privacy practice. In April 2025 its network was compromised. In November 2025 a class action complaint was filed alleging that names, Social Security numbers, dates of birth, addresses, and financial account information had been exposed, and that notification to affected individuals was delayed by months. The complaint is one of several such actions against Am Law 100 firms in recent years. Even before this incident, the American Bar Association’s 2022 Legal Technology Survey found 27% of law firms had experienced a data breach, up from 22% the previous year.

The Silent Ransom Group. SRG is a financially motivated data theft and extortion group operating out of Russia, staffed in part by former Conti and Ryuk operators. It does not encrypt data. It steals data and threatens to publish or sell it, with a public leak site (business-data-leaks[.]com) hosting victim disclosures. It runs a professional English-speaking call centre. The FBI’s May 2026 advisory catalogues its evolution: 2022 to early 2025, callback phishing using fake subscription invoices; March 2025, vishing calls impersonating internal IT staff; April 2025 onwards, in-person operators posing as IT technicians. Halcyon reports one law firm received a $20 million extortion demand from this pattern in May 2026.

The FBI FLASH. On 26 May 2026, FBI FLASH-20260526-01 confirmed SRG’s tactics and mapped them to MITRE ATT&CK: phishing, voice phishing, remote access software, valid accounts, collection, exfiltration over web service, exfiltration to removable media, and financial theft. The advisory names the tools observed in campaigns: Zoho Assist, Quick Assist, AnyDesk, RustDesk, Syncro, Splashtop, Atera, WinSCP, and RClone. All are legitimate administration tools. That is the point.

How the physical intrusion works

The attack sequence follows a consistent pattern.

  1. A phone call or a phishing email arrives, purporting to relate to an IT support issue, a subscription problem, or a data-security concern. Urgency is manufactured.
  2. If the target grants remote access on the phone, the attacker uses that access to exfiltrate data using WinSCP, RClone, or similar. If the target refuses, or if the attacker judges the target unlikely to comply, escalation occurs.
  3. An SRG operator travels to the firm’s office. They present at reception as an IT technician, sometimes referencing an earlier phone conversation, sometimes citing a scheduled visit.
  4. Reception, or an available staff member, shows them to a workstation. The attacker inserts a USB drive and copies data. The stated purpose is usually to “image the device” or “create a backup file” to address the earlier IT concern.
  5. The attacker leaves. Weeks later, a ransom email arrives, threatening to sell or publish the data. Follow-up calls to employees and clients begin.

The physical stage does not require sophistication. It requires a plausible pretext, a visitor management process that does not verify vendor identities against scheduled work orders, and a workforce untrained to question unscheduled IT visits. Most firms have all three.

Why law firms specifically

Legal work concentrates the exact data attackers most want to publish or extort against. M&A transactions carry material non-public information for weeks or months before deal announcement. Litigation files contain the arguments, strategies, and internal weaknesses of every side. IP portfolios describe unpublished patents and trade secrets. Client personal data, including financial account details and dates of birth, is present in almost every practice area.

At the same time, the operating environment favours attackers. Firms typically use outside IT service providers, so unscheduled IT visits from named vendors are common enough that the story does not automatically alarm reception. Partners and senior lawyers often have expansive access to firm-wide document management systems, so a single compromise gives broad reach. Client-service urgency creates a culture that suppresses the pause before pressing enter. And firms depend on their reputations for confidentiality, which gives extortion much sharper teeth.

The result is a target class with high-value data, soft process defences, and asymmetric downside from disclosure. Silent Ransom did not pick law firms by accident.

Where cyber and physical converge

The Silent Ransom pattern is a specific case of a more general problem. Cybersecurity programmes and physical security programmes are almost always run separately. The ISMS sits under IT or the CISO. Physical access, visitor management, and reception operations sit under facilities or office management. The two rarely meet outside the annual audit.

Attackers know this. The FBI FLASH is unusually direct about it: “Verify the credentials of all individuals accessing company spaces, including obtaining copies of each visitor’s ID card.” That is a physical security instruction, but it lives inside a cyber advisory because the two programmes have to be run as one.

Practical steps that close the gap:

  • Visitor identity verification. Not just a name in a book. IT vendors should be verified against a pre-agreed contact list, and unexpected visits should be confirmed by phone with a named contact at the vendor before access is granted. Photo ID copied and retained.
  • A vendor communications policy. Named individuals at your IT provider should be the only channels for support outreach. Any inbound “we’re your IT” call or visit that does not match should be treated as suspect by default and confirmed out-of-band.
  • USB and removable media controls. External storage devices should be blocked on all workstations by default. Exceptions should require documented authorisation. Silent Ransom’s in-person stage assumes a USB port that accepts a strange drive without question.
  • Reception and front-desk training. Not “check the visitor log.” Specifically: if an unscheduled IT visit occurs, verify with named IT contacts before granting workstation access. Small, specific, testable.
  • Remote monitoring and management tool inventory. Zoho Assist, AnyDesk, Splashtop, Atera, Quick Assist, and similar tools are legitimate. They are also SRG’s favoured foothold. Restrict which of these can be installed, and by whom, and log all installations.

What the FBI recommends

The FBI FLASH lists the following controls:

  • Verify visitor credentials, including retaining a copy of ID
  • Limit access to sensitive data from less secure networks (home, public wifi)
  • Develop and communicate policies about how IT support authenticates itself to employees
  • Conduct staff training on identifying, resisting, and reporting phishing
  • Maintain regular backups
  • Require phishing-resistant MFA for as many services as possible
  • Block port 22 where possible (SSH is a common exfiltration channel)
  • Disable remote access and external drive installation on machines with sensitive data

None of these are exotic. The gap the FBI is naming is that they are not consistently applied, particularly at the physical-cyber boundary.

The governance dimensions

For Irish and UK law firms, the same practices land inside several existing regulatory pictures.

GDPR Article 32 requires technical and organisational measures appropriate to the risk. Reception-desk process that lets an unverified visitor image a workstation would not survive Article 32 scrutiny after an incident. The Records of Processing Activities obligation under Article 30 becomes materially harder to meet if the firm cannot say which staff, vendors, and physical locations touch client data.

Solicitors Regulation Authority (UK) and Law Society of Ireland guidance both emphasise confidentiality of client information as a professional obligation. Data theft that exposes client PII or privileged material is a professional standards issue, not only a technology one.

NIS2 does not list legal services as an essential entity, but firms serving essential-entity clients (energy, banking, healthcare) increasingly face contractual security expectations that flow down from that regulation.

Cyber insurance now routinely requires MFA, EDR, and documented incident response. Physical intrusion resulting in cyber compromise is a growing area of underwriter scrutiny. Firms that cannot demonstrate integrated cyber-physical controls may find renewals difficult and premiums rising.

For firms with a mature ISO 27001 programme, the Silent Ransom pattern is a live test of Annex A controls: A.5.19 (supplier relationships), A.6.3 (awareness), A.7 (physical and environmental security), A.8.1 (endpoint controls), A.8.7 (malware), and A.8.20 (network controls). Every one of those touches this attack chain.

Closing

The pattern Silent Ransom has built is not clever. It is the kind of attack that succeeds because the defensive discipline needed to stop it is boring: verify the visitor, block the USB port, restrict the RMM tools, train reception. The reason SRG is escalating this approach across US law firms is that most of them have not done that work yet.

For firms of any size, the instruction is small and the cumulative impact is large. Review your visitor management process against the FBI FLASH recommendations. Confirm which RMM tools are permitted on your estate. Confirm your reception team knows precisely what to do if someone arrives claiming to be from IT. If the answer to any of these is uncertain, address it before the next unscheduled visit.

For Virtual CISO, ISO 27001, or business continuity work aimed at legal-sector clients, get in touch. The most useful conversations we have with managing partners and general counsel are usually about the risks they have not been thinking about yet.

Common questions

Is the Silent Ransom Group active outside the US?
The FBI's May 2026 FLASH advisory catalogues SRG as targeting US-based law firms specifically since spring 2023. Their methodology, however, is not US-specific. Irish and UK law firms have similar attack surfaces (outside IT vendors, reception-mediated access, expansive partner-level system access), and the callback phishing and vishing components of SRG's toolkit have been observed in Europe. The physical intrusion tactic is a natural fit for firms with similar reception and visitor management processes anywhere.
We use two-factor authentication. Doesn't that stop this?
MFA raises the cost of remote credential theft, but SRG's remote and in-person routes both bypass typical MFA because they use social engineering to obtain interactive access from the user directly. The FBI specifically recommends phishing-resistant MFA (FIDO2 hardware keys or platform authenticators), not SMS or app-based push notifications, because push-approval fatigue is a documented attack path.
How would we detect an SRG intrusion after the fact?
The FBI FLASH lists indicators: unauthorised installations of remote access tools such as Zoho Assist, AnyDesk, or Splashtop, unauthorised installation of external drives, WinSCP or RClone connections to external IPs, unusual outbound transfers to cloud storage (OneDrive, Google Drive), and unsolicited calls from individuals claiming to be internal IT. Endpoint detection and response with RMM tool inventory, USB installation logging, and cloud-storage upload monitoring covers most of the ground.
Is this only relevant for large firms?
No. Small firms are attractive targets precisely because their controls are lighter and their clients often include high-net-worth individuals or businesses in confidential dispute. The extortion economics work at small scale: a ten-partner firm with a live M&A file has as much extortion leverage per incident as a large firm with routine litigation matters.
Where does this leave our cyber insurance?
Cyber insurance is repositioning around the same threat picture. Insurers now routinely require MFA, EDR, tested incident response, and documented supplier security. Physical intrusion resulting in cyber compromise is a category some underwriters are pricing separately. Firms that can demonstrate integrated cyber-physical controls, tested against scenarios like this one, will find renewal conversations easier than those that cannot.

Ready to discuss your requirements?

Let's have a conversation about how we can help your organisation.

Let's talk