Back to Blog
    cybersecurity
    social-engineering
    ransomware

    FBI Warns of Silent Ransom Group Impersonating IT Support

    Dustin CollettMay 28, 2026

    A ransomware incident does not always begin with malware. Sometimes it starts with a phone call from someone claiming to be from IT support.

    On May 26, 2026, the FBI's Internet Crime Complaint Center published FLASH alert FLASH-20260526-01 warning that Silent Ransom Group is impersonating IT personnel through phone calls, phishing emails, remote access tools, and even in-person visits.

    For business leaders, the alert is a reminder that cyber risk is also an operations, training, vendor access, and physical security problem.

    What the FBI Alert Says

    The FBI identifies Silent Ransom Group (SRG), also known as Luna Moth, Chatty Spider, and UNC3753, as a threat group that uses social engineering to gain access to victim computers and steal data. The group has targeted several industries, including insurance, finance, and healthcare, and the FBI notes that SRG has consistently targeted U.S.-based law firms since Spring 2023.

    Unlike traditional ransomware groups, SRG does not need to encrypt systems to create pressure. The group focuses on fast access, data exfiltration, and extortion through threats to publish or sell stolen data.

    According to the FBI alert, SRG actors may call employees directly or send phishing emails designed to make employees call the attacker. Once on the phone, the attacker poses as IT support and tries to convince the employee to open a remote desktop session. If that fails, the FBI says the group may send someone in person to the victim's location to insert a USB drive or external hard drive into a company computer.

    That makes this threat especially important for businesses that rely on remote support, shared office access, or sensitive client data.

    Why This Matters for Businesses

    Many organizations have trained employees to watch for suspicious links or obvious malware. That is still important, but it is not enough for this type of attack.

    SRG takes advantage of trust. Employees are used to getting help from IT. They may expect remote support tools, troubleshooting calls, or instructions to install software. In a busy office, someone carrying a laptop bag and claiming to be from IT may not immediately seem suspicious.

    The business impact can be serious even if systems are never encrypted. Data theft can lead to client notification obligations, legal exposure, reputational damage, downtime during investigation, and pressure from customers or partners. For firms handling confidential records, contracts, financial data, or regulated information, the risk can affect trust.

    The FBI also notes that SRG campaigns may leave few artifacts on compromised machines and may use legitimate system management or remote access tools. That means traditional antivirus alerts may not be the first or only warning sign.

    How the Attack Usually Works

    The FBI alert describes a pattern that is simple, fast, and highly dependent on human trust.

    1. The attacker creates urgency. The employee receives a call, email, or voicemail that appears to come from IT support, billing, a subscription service, or another believable source.
    2. The employee is pushed toward live contact. The attacker may ask the employee to call back or stay on the phone while a supposed IT issue is being resolved.
    3. Remote access is requested. The attacker instructs the employee to grant access through a remote desktop or system management tool.
    4. If remote access fails, physical access may be attempted. The FBI warns that SRG may send someone to the victim's location claiming they need to image a device, create a backup file, or address an issue caused by a phishing email.
    5. Data is exfiltrated quickly. The alert names WinSCP and hidden or renamed versions of Rclone as tools used for exfiltration. It also notes that SRG may use cloud platforms such as Google Drive and Microsoft OneDrive or external storage devices.
    6. Extortion follows. After data is stolen, the victim may receive ransom demands threatening public disclosure or sale of the data. The FBI says SRG may also contact employees or clients to increase pressure.

    This is not a slow, noisy attack every business can expect to catch at the endpoint. It is a process failure waiting to happen if employees do not know how real IT support authenticates itself.

    Warning Signs to Watch For

    The FBI lists several indicators that may point to SRG activity. Businesses should not treat any single tool or event as proof of compromise, because many remote access tools have legitimate uses. Context matters.

    Warning signs include:

    • New or unauthorized downloads of remote access or system management tools, such as Zoho Assist, Quick Assist, AnyDesk, RustDesk, Syncro, Splashtop, or Atera.
    • Unauthorized installation or use of USB drives or external hard drives on company computers.
    • Unexpected data movement to Microsoft OneDrive, Google Drive, or external servers.
    • WinSCP or Rclone connections to external IP addresses.
    • Alerts showing data leaving the company environment.
    • Unknown individuals attempting to access company computers while claiming to be IT support.
    • Employees receiving unsolicited calls from people falsely claiming to work in the IT department.
    • Emails, calls, or voicemails from an unnamed group claiming company data was stolen.
    • Clients receiving calls or emails claiming their data was stolen.

    A strong response depends on making these signs reportable. Employees should know who to contact, how quickly to report, and that reporting suspicious activity is helpful.

    Practical Defenses to Put in Place

    The FBI recommends practical controls that reduce the chance of this kind of attack succeeding. The goal is to make the attacker's story difficult to believe and easy to verify.

    Start with an internal IT verification process. Employees should know how IT will contact them, what IT will never ask them to do, and how to confirm anyone requesting access. Document the process and repeat it during onboarding and security refreshers.

    Next, tighten remote access and removable media controls. Remote support tools should be approved, logged, and limited to authorized users. External drive installation should be restricted on systems that access sensitive data. Where possible, block or tightly control remote access paths that are not required.

    Businesses should also require phishing-resistant Multi-Factor Authentication (MFA) where possible. MFA will not stop every social engineering attempt, but it can reduce the value of stolen credentials and make it harder for attackers to reach cloud email, files, or administrative tools.

    Monitoring matters too. Watch for unusual file transfers, new remote support software, Rclone or WinSCP activity, and large uploads to cloud storage. Cloud platforms such as Microsoft 365, OneDrive, and Google Workspace should have alerting rules that flag suspicious sharing, downloads, and external transfers.

    Physical security should not be overlooked. Visitors claiming to be IT support should be verified before entering work areas or touching company devices. The FBI recommends verifying credentials for people accessing company spaces, including obtaining copies of visitor ID cards.

    Finally, maintain regular backups and an incident response plan. SRG may not encrypt files, but backups still matter during investigation, recovery, and business continuity. The response plan should assign legal, client notification, law enforcement, communications, and technical decisions.

    What to Do if You Suspect SRG Activity

    If an employee receives a suspicious IT support call, email, voicemail, or in-person request, they should stop the interaction and report it through the approved internal channel. Do not continue the remote session, install new tools, plug in external drives, or let an unverified person handle company equipment.

    If access may already have been granted, preserve evidence. Security teams should collect relevant emails, voicemail transcripts, phone numbers, remote access logs, endpoint logs, cloud audit logs, and details about the person or device involved. The FBI says victim organizations may share ransom notes, callback messages, phishing emails, threat actor contact details, cryptocurrency wallet information, and identifying information about individuals posing as IT support, when legally appropriate.

    Organizations should also consider reporting suspicious or criminal activity to the FBI Internet Crime Complaint Center and contacting their local FBI Cyber Squad when appropriate.

    Final Takeaway

    Silent Ransom Group's tactics are effective because they look like normal business support activity. The best defense is a combination of employee training, clear IT authentication rules, controlled remote access, endpoint and cloud monitoring, visitor verification, MFA, and a tested response process.

    If your team is not sure whether your remote support, access control, or incident response procedures would stand up to this kind of social engineering, now is the time to review them. Collett Systems can help assess your security posture and build practical defenses that fit how your business works. Start with our contact page or learn more about our managed IT services.