A ransomware gang has stepped up its attacks on law firms by sometimes sending fake IT workers to victims’ offices, where the crooks steal data directly from victims’ computers using USB drives or help other gang members log into the computers remotely, according to Google and the FBI.
On Friday, Google’s cybersecurity teams, Mandiant and the Google Threat Intelligence Group published a new report accusing the cybercrime gang known as the Silent Ransom Group of trying to steal victim information “using physical, personal access” in attacks between January and May this year that targeted “dozens” of victims.
“Mandiant has investigated several issues where adversaries planted residents, bribed employees, or physically invaded buildings to facilitate cyberattacks,” Mandiant CTO Charles Carmakal told TechCrunch, adding that the company has seen this tactic used in other cases over the years.
Last month, the FBI issued a warning warning that the Silent Ransom Group had targeted law firms with social engineering and phishing attacks pretending to be IT support workers. However, in some cases, the group sent fake IT support staff to victims’ offices, where they connected to employee computers and used USB drives or remote access tools to steal data such as contracts, personal information such as social security numbers, and financial and tax records.
An FBI spokesperson told TechCrunch: “We can confirm that we have seen multiple instances of individuals impersonating IT support who gained or attempted to gain physical personal access to the offices and/or devices of victim companies as part of the Silent Ransom Group’s data infiltration scheme.”
In a common extortion tactic—one that doesn’t involve encrypting victims’ data as in traditional ransomware attacks—the gang has its own leak site, where it threatens victims with publishing their stolen data and then publishes it if the victim doesn’t pay.
Contact us
Do you have more information about these hacking campaigns? Or other data breaches? We would love to hear from you. From a broken device and network, Lorenzo Franceschi-Bicchierai can be reached securely on Signal at +1 917 257 1382 or via Telegram and Keybase @lorenzofb or via email.
This often happens after hackers send emails directly to victims to threaten them.
“In case of ignorance or non-agreement, we will notify your employees, partners and customers and then publish your data,” the hackers wrote to one victim, according to Google.
According to Google’s report, hackers are also using more traditional methods, such as phishing emails, follow-up phone calls and social engineering. Cybercriminals pretend to be the company’s IT support to trick victims into granting access to their computers.
“Callers use a variety of verbal instructions to guide the target’s behavior. Under the guise of addressing a security issue or helping with a corporate data migration project, they build trust and direct the target to participate in a screen sharing session,” the Google researchers wrote. Hackers then bypass security checks by convincing victims to download and open screen sharing apps or by using screen sharing features in apps like Zoom or Microsoft Teams.
While hackers most often steal data remotely through malware or phishing attacks, these cases show that some hackers are now willing to take their crimes a step further, mixing traditional hacking techniques with physical intrusions in what is a new and significant escalation.
When you purchase through links in our articles, we may earn a small commission. This does not affect our editorial independence.
