The FBI has issued a fresh alert about the Silent Ransom Group, also called Luna Moth, Chatty Spider, and UNC3753 in different write-ups. The group has been around since 2022, started life as a phishing-and-callback crew, and has now added a step that is worth pausing on. When the phone trick does not work, they send a person to the office, dressed and acting like an IT engineer, who walks in, plugs a storage device into a partner's machine, and walks out with the data.
The targets are US law firms. The pattern translates one-for-one to UK professional services. Most firms in the country have no process for the line "your IT support is here" because they have never needed one.
How the script runs
The attack has three stages, in order of escalation.
The phone call or email. Someone phones a fee earner, paralegal, or executive assistant, says they are from IT, and asks the target to install a remote-access tool so they can fix an "issue". If the target complies, the attacker has remote access to the machine and the source code, drafts, client files, and email it can reach. From there, the group uses WinSCP or a modified version of Rclone to copy data out, then encrypts the data left behind, or just keeps the copy and threatens to publish it.
The in-person visit. When the phone trick fails, the FBI alert says, "SRG sends a threat actor to the victim's location to gain access and insert a storage device into the victim's computer." They claim to be from the IT provider the firm uses, sometimes naming the right one. They get past reception. They sit at the target's desk while the target is in a meeting, or while reception calls upstairs. They copy data to a USB drive and leave.
The extortion. The data is exfiltrated, the firm is contacted, and the price is set. Law firms are picked specifically because the data is sensitive, named, and embarrassing to publish. The same factors hold for accountants, financial advisors, recruiters, and any consultancy that holds client files.
Why this works in a UK office
Three things make the in-person move effective.
Reception does not have a procedure for IT visits. Most firms have a visitor log and a sign-in tablet. Few have a question that has to be asked. "Who are you here to see" gets answered with a real name lifted from the firm's website. "I'm here for the meeting room work, Mark in IT booked it" is plausible enough.
Partners' machines are usually unlocked. A senior person leaves their office for a meeting. The machine is on, the email is open, the case management system is logged in. Anything physically at that desk can read everything that user can read.
The visitor looks legitimate. A clipboard, a polo shirt, a lanyard from a high-street print shop, and a confident manner. The training that staff actually have is on email phishing, not on people walking through the front door. Most reception staff are not trained to challenge someone who appears to know where they are going.
The fix is mostly process. None of the steps below need new technology. Some of them just need someone to decide what the firm's answer is and put it on a card behind reception.
What to actually do
Write a one-line policy for IT visits and put it on the reception desk. "IT engineers visit only by prior arrangement, and only when verified by [named person]. If you do not have that, please ring [number] before showing them in." The number should ring a person who can verify, not a generic IT helpdesk. The point is to make verification the default, with a fall-back that does not require anyone to be brave.
Name your actual IT provider, on the same card. Reception should know the name of the firm that handles IT, the names of the engineers if it is a small provider, and a number to call to check. "The engineer is Sam from Acme IT, he's expected at 2pm" is the bar. Anyone who does not match needs a phone call to confirm before they go upstairs.
Lock the screen when leaving the desk. This is the unglamorous one and it is the single most effective control here. Windows-key plus L, or Control-Command-Q on a Mac, every time you stand up. A short timeout on the screen lock helps but does not replace the habit. The Silent Ransom in-person play requires an unlocked workstation in front of them; the lock makes the whole thing harder.
Disable USB mass storage on the machines that need it least. If a partner's machine never needs to read a USB stick, the simplest defence is to turn that off. Group Policy can do it on Windows, MDM can do it on Mac. The point is not to make USB unusable for the firm, it is to make the specific attack of "plug a stick in and copy data off" not work on the highest-value machines.
Brief the reception team specifically. The wider awareness training the firm runs is about email. This one is about people. Spend ten minutes with reception running through the script: "If someone arrives saying they are IT, the answer is to ring the number on the card. If they push back, the answer is to ring the number on the card. The person who runs IT is fine with being rung; the engineer who is not legitimate is the one who will leave."
Brief the fee earners and the EAs. The phone-call half of the attack works on the people who can authorise things. The brief is short: IT will not ring you out of the blue and ask you to install AnyDesk, TeamViewer, or anything similar. If they do, hang up, ring the IT provider on a known number, and check.
Have a known way to confirm identity. A pre-agreed challenge phrase is overkill for most firms, but a "I'll just ring [name] to confirm" habit is not. The point is that the attacker has spoofed the call or arrived at the door precisely because there is no second channel. Make sure there is one.
The reason this attack is showing up against law firms first is that the data is valuable and the target list is public. There is no reason it would not work on any UK professional services firm of similar shape. The good news is that almost every fix is cheap. The bad news is that none of them happen unless someone decides to put the card on the reception desk.
How Steelwise can help
Writing the reception card, briefing the team, and turning off the controls that should be off by default on partner machines is the kind of practical work we do with professional services firms. Get in touch.