Blog Details

The FBI warned on Tuesday that the Still Ransom Team (SRG) extortion gang is now concentrating on U.S.-essentially based mostly law firms in in-person files theft assaults.

“As of Spring 2026, SRG actors use a social engineering scheme to pose as an employee from the victim’s IT department. SRG actors either directly call or send phishing emails to urge employees to call the SRG actor posing as IT support,” the FBI warned in a Tuesday flash alert.

“While on the phone, the SRG actor directs the employee to grant access to a remote desktop session. If that attempt fails, SRG sends a threat actor to the victim’s location to gain access to insert a storage device into the victim’s computer.”

By going to the victim’s space in person, the malicious actors can like shut files by connecting USB drives or external laborious drives to the victim’s pc.

The FBI integrated the unauthorized set up of external laborious drives or USB drives on firm computers, and the presence of unidentified or unauthorized people claiming to be IT give a enhance to and attempting to earn correct of entry to computers, as that that you just can perhaps perhaps also imagine indicators of an SRG assault.

“Through phone calls and phishing emails, SRG actors pose as IT support to establish access to victim computers and exfiltrate data, usually through legitimate remote access tools or by sending an individual in-person to the victim company’s location to gain physical access to computers,” the FBI added.

SRG uses the stolen files to extort the victims by sending a ransom electronic mail that threatens to sell or submit it on their leak living, and can additionally call the victims’ workers or purchasers to rigidity them into origin ransom negotiations.

Additionally is well-known as Luna Moth, Chatty Spider, and UNC3753, this cybercrime gang has been active since no no longer up to 2022 and has been concentrating on right and financial organizations within the United States since early 2023.

As beforehand reported by BleepingComputer, the same neighborhood of possibility actors turned into additionally linked to BazarCall campaigns that provided initial earn correct of entry to to corporate networks in Conti and Ryuk ransomware assaults.

In March 2022, after the Conti shutdown, they separated from the cybercrime syndicate and fashioned the Still Ransom Team (SRG), known for files theft and extortion operations following centered phishing assaults.

This week’s flash alert follows a Might perhaps perhaps 2025 FBI non-public industry notification warning that the same extortion gang had been concentrating on U.S. law firms in callback phishing and social engineering assaults for extra than two years.

A Might perhaps perhaps 2025 EclecticIQ document detailing the cybercrime neighborhood’s assaults on right and financial institutions within the United States additionally printed that the attackers register domains to “impersonate IT helpdesk or support portals for major U.S. law firms and financial services firms, using typosquatted patterns.”