Google, FBI Alert Businesses to Ransomware Group Using Fake IT Workers for In-Person Cyberattacks

A ransomware group has expanded its tactics beyond traditional cyberattacks, with some members reportedly posing as IT support workers and visiting victim offices in person to steal sensitive information, according to new findings from Google and the FBI.

On Friday, Google’s cybersecurity divisions, Mandiant and the Google Threat Intelligence Group, released a report accusing the group known as the Silent Ransom Group of carrying out attacks between January and May that targeted dozens of organisations, particularly law firms. In several incidents, the attackers reportedly attempted to gain direct physical access to company systems.

“Mandiant has investigated cases where attackers planted insiders, bribed employees, or physically entered facilities to support cyber operations,” said Charles Carmakal, Chief Technology Officer at Mandiant. He noted that while such tactics are uncommon, they have appeared in other investigations over the years.

The report follows an FBI alert issued last month warning that the Silent Ransom Group had been targeting law firms through phishing campaigns and social engineering schemes, posing as IT support personnel. In some cases, individuals posing as technical support staff reportedly visited offices, connected to employee computers, and used USB devices or remote-access software to extract confidential information.

According to the FBI, the stolen data has included contracts, Social Security numbers, financial records, tax documents, and other sensitive corporate information.

“We can confirm multiple instances in which individuals impersonating IT support personnel gained or attempted to gain physical access to company offices and devices as part of Silent Ransom Group’s efforts to steal data,” an FBI spokesperson said.

Rather than relying on traditional ransomware techniques that encrypt systems, the group primarily uses data theft and extortion. The attackers operate a leak site where they threaten to publish stolen information if victims refuse to pay.

In some cases, victims receive direct messages warning that employee, customer, and partner information will be exposed if an agreement is not reached.

Google’s researchers said the group also continues to use more conventional cybercrime methods, including phishing emails, follow-up phone calls, and social engineering campaigns. Attackers often impersonate internal IT staff and convince employees to grant access to their systems.

Under the pretext of resolving security issues or assisting with data migration projects, the callers build trust and persuade targets to join screen-sharing sessions. Victims are then directed to install remote-access software or use built-in sharing tools available through platforms such as Zoom and Microsoft Teams.

While most cybercriminals still rely on malware and remote attacks to steal information, these incidents highlight a growing willingness among some groups to combine digital intrusions with physical access tactics, marking a notable escalation in modern cybercrime operations.