Google and FBI Issue Urgent Warning Over Hacking Group Sending Imposter IT Workers for Physical In-Person Attacks
The FBI and Google’s cybersecurity divisions have issued a joint warning regarding a significant escalation in ransomware tactics, where cybercriminals are deploying physical imposters to target offices in person. The operations, attributed to a cybercriminal syndicate known as the Silent Ransom Group, specifically target law firms and other corporate offices to exfiltrate highly sensitive data directly from local machines.
In-Person Intrusions and Physical Exploitation
According to reports published by Google’s Mandiant and the Google Threat Intelligence Group, the gang targeted dozens of victims between January and May 2026. While the group still utilizes traditional digital vectors, their physical intrusion strategy marks a dangerous shift in the threat landscape:
- Physical Access: The group dispatches fake IT support personnel directly to a victim's corporate location.
- Direct Data Theft: Once inside, these imposters gain physical access to employees' workstations, utilizing USB flash drives to download information locally or installing tools to help remote gang members connect to the network.
- Targeted Information: The stolen files primarily consist of corporate contracts, legal records, financial and tax documents, and personal employee details such as Social Security numbers.
High-Pressure Extortion and Social Engineering
Instead of using traditional ransomware that encrypts files and locks systems, the Silent Ransom Group relies strictly on data exfiltration and extortion. They operate a dedicated leak website where they threaten to publish the stolen data if a ransom is not paid. To enforce payment compliance, hackers email victims directly, threatening to notify employees, partners, and customers of the breach.
When physical access is not deployed, the group relies on aggressive social engineering via phone calls and phishing emails. Posing as internal corporate IT staff managing a "data migration" or a "security issue," callers build trust and manipulate victims into launching screen-sharing sessions via Zoom, Microsoft Teams, or external software to bypass internal corporate security controls.
