FBI Alert: Ransomware Operatives Are Walking Into Offices

The FBI issued a FLASH alert on May 26, 2026 warning that the Silent Ransom Group (SRG) has moved beyond phishing emails and phone calls. When their social engineering calls fail to trick employees into granting remote access, they send a person to the victim’s office. That person walks in, claims to be IT support, plugs in a USB storage device, and exfiltrates sensitive data. More than 38 law firms have already had client data published on SRG’s extortion site, with total victims exceeding 100 organizations across legal, insurance, finance, and healthcare.

If someone walked into your office today claiming to be from IT, would your front desk know what to do?

How the Attack Chain Works

SRG has been active since 2022, primarily targeting professional services firms with callback phishing. The typical attack starts with an email warning about a subscription charge or account issue, directing the recipient to call a number for help. When the employee calls, a fake support agent walks them through installing remote access software like AnyDesk or ScreenConnect. Once connected, the attacker moves through the network, finds sensitive files, and exfiltrates them for extortion.

The new development is what happens when that phone call doesn’t work. According to the FBI, SRG has begun sending operatives physically into target offices. These individuals arrive with a plausible cover story, present themselves as IT support staff, and ask for access to a computer. They plug in a USB device, copy files, and leave. The FBI notes that these intrusions “left few artifacts on compromised machines” because the attacker isn’t installing malware. They’re copying files directly to a portable drive.

This escalation makes sense from the attacker’s perspective. If a callback phishing attempt fails, the target has already been profiled. The attacker knows the company name, the office location, and enough about the technology environment to sound credible. Showing up in person is just another delivery mechanism for the same objective.

Why Your Antivirus Won’t Help

Traditional endpoint security products detect malicious software: trojans, ransomware payloads, command-and-control beacons. SRG’s physical intrusion approach sidesteps all of that. There’s no malware to detect. The attacker is using a USB drive to copy files the same way any employee would. The FBI’s alert specifically states that “traditional antivirus products are unlikely to flag the intrusion.”

Endpoint detection and response (EDR) tools are more capable than basic antivirus, and they can flag unusual USB activity or bulk file access patterns. But EDR only works if the USB ports are monitored and if the alerts reach a security operations team that acts on them in real time. If your USB ports are wide open and nobody is watching the alerts, EDR won’t save you from someone with a flash drive and a lanyard.

The broader point is that this attack exploits trust, not technology. No software can stop an employee from letting a friendly person sit down at a workstation because they said the right things at the front desk.

Who Is Being Targeted

SRG has published stolen data from at least 38 law firms, including firms with hundreds of attorneys and sensitive client information spanning M&A transactions, litigation, and regulatory matters. But the FBI’s alert makes clear that targets extend beyond legal.

Insurance companies, financial advisory firms, healthcare organizations, and any business handling confidential client data are in the crosshairs. The common thread is that these businesses hold information worth paying to keep private. SRG doesn’t encrypt files and demand a ransom to unlock them. They steal data and threaten to publish it unless the victim pays, a model sometimes called data extortion.

For professional services firms in Texas, the risk is concrete. A 200-person law firm, a regional insurance agency, a multi-location dental practice: these are exactly the organizations SRG profiles and targets. They tend to have small or outsourced IT teams, limited physical security protocols for technology access, and high-value data that clients would be alarmed to see leaked.

What the FBI Recommends

The FBI’s FLASH alert includes specific recommendations. These aren’t theoretical best practices. They’re direct responses to how SRG operates.

Verify the identity of anyone claiming to be IT support. This is the most important recommendation. Require photo ID verification for any person who shows up claiming to provide IT services. But go further: verify with your actual IT provider that a visit was scheduled. A fake ID is easy to produce. A call to your MSP confirming “Did you send someone to our office today?” is much harder to fake.

Document how your IT support authenticates itself. Every employee should know how to verify that a request for access is legitimate. This means having a documented process: who your IT provider is, how they contact you, what they will and won’t ask for, and who in your office is authorized to grant physical access to technology. If that process doesn’t exist, you’re relying on individual judgment under social pressure.

Disable external drive installation on endpoints. USB device restrictions should be enforced through group policy or your endpoint management platform. Most businesses have no legitimate reason for employees to plug unknown USB drives into workstations. Disabling removable storage by default eliminates the primary exfiltration tool SRG uses during physical intrusions.

Implement phishing-resistant MFA. Multi-factor authentication protects against the callback phishing stage of SRG’s attack chain. If an employee does install remote access software and an attacker gains access to their session, MFA on critical systems prevents lateral movement into email, file shares, and financial applications. The FBI specifically recommends phishing-resistant options like FIDO2 security keys over SMS codes.

Train employees on callback phishing and in-person social engineering. Security awareness training programs should cover callback phishing specifically, since it bypasses email filters entirely. Add scenarios for in-person impersonation to your training: what to do when someone shows up unannounced claiming to be from IT, how to verify the claim, and how to escalate if something feels wrong.

Your Action Checklist

Knowing what to do is different from doing it. Here’s a prioritized list you can act on this week:

• Today: Send a company-wide message stating that no one should grant computer access to any visitor claiming to be IT support without first calling your IT provider to confirm the visit. Name your IT provider in the message so employees know exactly who to contact.
• This week: Review your USB device policy. If removable storage isn’t disabled on endpoints, work with your IT team to implement group policy restrictions. Test on a few machines first.
• This week: Create a written visitor verification procedure for IT-related visits. Include the IT provider’s name, main contact number, and a requirement that all on-site visits be scheduled in advance with a named employee as the point of contact.
• This month: Update your security awareness training to include callback phishing and in-person social engineering scenarios. Run a tabletop exercise: “A person arrives at the front desk saying they’re here to fix a server issue. What does your team do?”
• This month: Audit your MFA coverage. Identify which systems still rely on passwords alone or SMS-based MFA, and make a plan to move to phishing-resistant authentication.

Why a Documented IT Partner Changes the Equation

The SRG attack works because most businesses don’t have a clear, documented answer to the question “who is our IT support and how do we verify them?” When a confident person shows up in business casual with a laptop bag and says “I’m from your IT company, there’s a critical issue with your server,” the default human response is to help.

A managed IT partnership changes that dynamic in a specific way. When your employees know that Infonaligy is your IT provider, that all on-site visits are scheduled through a ticketing system, that technicians carry company identification, and that any unscheduled visit should trigger a verification call, the impersonation playbook falls apart. The attacker can claim to be from IT, but your front desk already knows who “IT” actually is.

This isn’t about technology. It’s about having a documented chain of trust that employees can follow without making judgment calls under pressure. Your receptionist shouldn’t have to decide whether a stranger is legitimate based on how convincing they sound. They should have a process: check the schedule, call the provider, confirm the name. If the visit isn’t on the books, the answer is no.

The FBI’s alert reinforces what security-aware organizations already practice: people are both the primary target and the primary defense in social engineering attacks. The difference between a firm that gets compromised and one that doesn’t often comes down to whether employees have clear procedures to follow when someone asks for access they shouldn’t have.