The FBI’s IC3 advisory from May 26 documents something most extortion threat models haven’t assumed: fake IT workers walking into law firm offices, USB drives in hand, to exfiltrate client data directly from workstations.
The attacks ran from January through May 2026 and hit “dozens” of victims. The method starts with phone or email impersonating internal IT support, and a request to join a screen-sharing session. When that fails, the group sends an operative to the office in person, claiming to be addressing a security issue or assisting with a “corporate data migration.” Stolen files included contracts, Social Security numbers, and financial and tax records.
This isn’t traditional ransomware. There’s no encryption. The Google Mandiant threat intelligence report, published June 5, 2026, documents Silent Ransom Group’s own leak site, where the gang threatens to publish stolen data if victims don’t pay. Their extortion emails are direct: “We will notify your employees, partners and customers, after which We will publish your data.”
I read through both documents this week. The structural shift is real: law firms have spent years hardening perimeter defenses against remote intrusion. Physical infiltration bypasses endpoint detection, DLP controls, and conditional access policies in one step. Mandiant CTO Charles Carmakal cited this tactic appearing in other cases over the years; what’s new is a data extortion group running it at scale against law firms specifically.
Physical access policies often live in a drawer. Worth auditing who currently holds standing authorization to service workstations at your offices, and whether your staff can verify IT identity on a walk-in visit.
Rebecca Lauren