The Silent Ransom Group Is Walking Into Law Firms. Here Is What You Need to Know.

By Steven C. Fraser, Esq. | FL Bar No. 625825 | DC Bar No. 460026

On June 5, 2026, Mandiant and the Google Threat Intelligence Group published a report attributing the Silent Ransom Group with a campaign that most firms never prepared for: stealing client data through physical, in-person access.

The group, also tracked as Luna Moth, Chatty Spider, and UNC3753, has attacked dozens of targets between January and May 2026. It has focused on U.S.-based law firms since 2023, drawn to the sensitive nature of legal records.

The FBI confirmed to TechCrunch that it has "observed multiple cases of individuals masquerading as IT support who have successfully or attempted to gain physical access to victim companies' premises." The FBI alert and Yahoo News coverage describe a strategy built on trust and impersonation, not malware.

This Is Not Traditional Ransomware

Silent Ransom Group emerged in 2022 after the Conti ransomware operation disbanded. Unlike conventional ransomware operators, this group does not encrypt your files. There is no locked screen. No countdown timer.

They steal your data and extort you afterward.

That distinction matters. A firm can recover from encrypted files if it has backups. It cannot recover from client records posted on the open internet or delivered to opposing counsel.

The Physical Access Problem

The most alarming part of the Mandiant report is the method: people posing as IT support walk into offices and gain access to internal systems. Researchers believe the group, suspected to be based in Russia, uses gig workers or subcontractors who speak the target's language and look the part.

This is social engineering in its purest form. No phishing email. No malicious attachment. A person with a lanyard and a confident tone walks through the front door.

For solo and small-firm practitioners, the vulnerability is obvious. There is no reception desk. There is no badge system. There is often no IT department to verify against.

What the FBI Recommends

The FBI advisory and a Florida Bar News report both recommend the following:

• Verify credentials before granting anyone access to office spaces or computer systems
• Develop clear policies for how legitimate IT staff authenticate themselves on-site
• Train every employee to recognize social engineering attempts, including physical impersonation
• Monitor network access for unexpected devices or login patterns

What This Means for Solo and Small Firms

The group has claimed responsibility for more than 100 attacks, and activity has surged in recent months. Every firm that holds confidential client data is a potential target.

The obligation is not theoretical. Rule 4-1.6 of the Florida Rules of Professional Conduct requires lawyers to make reasonable efforts to prevent unauthorized access to client information. That includes physical security, not just digital security.

If someone walks into your office today and says they are from your IT provider, what is your verification protocol? If the answer is "we do not have one," the time to fix that is now.

Taking Action

A cybersecurity posture audit, even a basic one, should cover physical access controls, credential verification procedures, and employee training. The firms that act before they become a target are the ones that stay off the extortion list.

If you need a cybersecurity assessment tailored to a legal practice, LexAI Advisors provides security posture audits, AI tool vetting, and bar ethics alignment specifically for solo and small law firms.

Steven C. Fraser is an attorney licensed in Florida and the District of Columbia. He practices in 14 areas including bankruptcy, estate planning, consumer protection, and mediation across all 20 Florida circuits and DC Superior Court. He is the founder of LexAI Advisors, which provides AI strategy consulting and cybersecurity advisory services to law firms.