FBI and Google warn of ransomware gangs posing as IT workers
▼ Summary
– The Silent Ransom Group has conducted physical intrusions by sending fake IT workers to law firm offices to steal data via USB drives or remote access.
– The FBI and Google’s Mandiant reported that from January to May of this year, the gang targeted “dozens” of victims using in-person access to facilitate cyberattacks.
– The group uses social engineering and phishing attacks, often impersonating IT support, to trick victims into granting remote access to their computers.
– Instead of encrypting data, the gang threatens to publish stolen information on its leak site if victims do not pay, and follows through on the threat if ignored.
– This combination of traditional hacking with physical intrusions marks a significant escalation in ransomware tactics, as confirmed by an FBI spokesperson.
A ransomware gang has taken its attacks on law firms to an alarming new level, sometimes dispatching phony IT workers in person to victims’ offices. Once inside, these imposters use USB drives to directly steal data or assist other gang members in connecting remotely to the victims’ computers, according to warnings from Google and the FBI.
On Friday, Google’s cybersecurity units, Mandiant and the Google Threat Intelligence Group, released a report accusing the Silent Ransom Group of stealing information “using physical, in-person access” during attacks from January through May of this year. The group targeted “dozens” of victims in this period.
“Mandiant has investigated various matters where adversaries planted insiders, bribed employees, or physically entered buildings to facilitate cyberattacks,” said Charles Carmakal, Mandiant’s chief technology officer, in a statement to TechCrunch. He noted that this tactic has surfaced in other cases over the years.
The FBI issued an alert last month warning that Silent Ransom Group had been targeting law firms with social engineering and phishing attacks, often posing as IT support staff. In some instances, though, the group sent fake IT personnel to victims’ offices. There, they connected to employees’ computers using USB drives or remote access tools to steal contracts, personal information such as Social Security numbers, and financial and tax records.
An FBI spokesperson confirmed to TechCrunch: “We can confirm we have seen multiple instances of individuals impersonating IT support who have gained or attempted to gain physical in-person access to victim companies’ offices and/or devices as part of Silent Ransom Group’s scheme to exfiltrate data.”
Rather than encrypting victims’ data like traditional ransomware, the gang uses a common extortion tactic: it runs its own leak site, threatening to publish stolen information and following through if the victim does not pay. This often happens after hackers email victims directly with demands.
“In case of ignorance or no agreement, We will notify your employees, partners and customers, after which We will publish your data,” the hackers wrote to one victim, according to Google.
Google’s report also details more conventional methods, including phishing emails, follow-up phone calls, and social engineering. The cybercriminals impersonate a company’s IT support to trick victims into granting computer access. “The callers use a variety of verbal instructions to guide target behavior. Under the guise of addressing a security issue or aiding with a corporate data migration project, they build trust and direct the target to join a screen-sharing session,” Google’s researchers wrote. They bypass security controls by convincing victims to download and open screen-sharing apps or by using features in tools like Zoom or Microsoft Teams.
While most data theft occurs remotely via malware or phishing, these cases show hackers willing to escalate their crimes by blending traditional hacking with physical intrusions. This marks a significant and novel escalation in cybercriminal tactics.
(Source: TechCrunch)
