A Ransomware Gang Is Now Sending Fake IT Workers to Your Office — Here's How to Stop Them
Most cyberattacks happen at a distance — a hacker sitting somewhere across the world, quietly phishing their way into your inbox. That's uncomfortable enough. But a new warning from Google, Mandiant, and the FBI describes something far more unsettling: a criminal gang that skips the digital front door entirely and walks right through your physical one.
Meet the Silent Ransom Group
The Silent Ransom Group, also tracked under the names Luna Moth, Chatty Spider, and UNC3753, is a cyber extortion operation that has been active since 2022. According to Security Affairs, the group focuses on stealing sensitive data and extorting victims rather than encrypting files — a growing trend sometimes called "data extortion" rather than traditional ransomware. Their targets span legal services, healthcare, hospitality, finance, and insurance.
What makes this group newly alarming is a significant escalation in their tactics documented between January and May of this year. Google's cybersecurity teams Mandiant and Google Threat Intelligence Group published a report describing attacks targeting "dozens" of victims — with some of those attacks involving fake IT support workers who physically showed up at victims' offices.
Once inside, the imposters either connected to employees' computers directly — using USB drives to steal data — or helped other gang members gain remote access to the systems.
The FBI confirmed the physical intrusions are real: "We can confirm we have seen multiple instances of individuals impersonating IT support who have gained or attempted to gain physical in-person access to victim companies' offices and/or devices as part of Silent Ransom Group's scheme to exfiltrate data," an FBI spokesperson told TechCrunch.
The data they're after is serious: contracts, Social Security numbers, financial records, and tax documents. Once stolen, the group threatens to publish that data publicly unless victims pay — and they follow through. "In case of ignorance or no agreement, We will notify your employees, partners and customers, after which We will publish your data," the hackers wrote to one victim, according to Google.
They Don't Just Show Up — They Call First
The in-person visits don't happen in a vacuum. The Silent Ransom Group uses a layered social engineering approach to build trust before anyone sets foot in your office. Their playbook typically includes:
- Phishing emails pretending to be IT support
- Follow-up phone calls using real-sounding IT department scripts
- Screen-sharing manipulation — convincing employees to download remote access tools, or using built-in features in apps like Zoom or Microsoft Teams, under the guise of fixing a "security issue" or helping with a "corporate data migration project"
The in-person visit is essentially the final act when remote methods aren't enough — or when the gang wants to make sure they get exactly what they're looking for.
Beyond the physical attacks, Security Affairs reports that researchers at Resecurity have also uncovered the group's Fast Flux network infrastructure — a technique that uses rapidly rotating IP addresses tied to compromised IoT devices, routers, modems, and gateways to make their operation harder to shut down. That infrastructure spans nodes across Latin America, Eastern Europe, Central Asia, the Middle East, and East Asia.
What Yuba City Small Businesses Should Do Right Now
The law firms being targeted are larger organizations, but the tactics Silent Ransom Group uses — phone calls, fake IT visits, social engineering — work on businesses of any size. Here's how to protect yours:
1. Create a Vendor Verification Policy
Never
