No malware, no alerts, just a USB drive in your office
The security industry has been arguing about the death of the perimeter for the better part of a decade. Zero trust, identity as the new perimeter, cloud-first architectures: the conversation has stayed technical and digital, centered on threats arriving through network connections. The Silent Ransom Group challenged that assumption by sending a person with a USB drive.
If you lead incident response, the key point is simple: this is an active data theft model that can look benign in endpoint telemetry until extortion pressure begins. In this analysis, I break down SRG’s current playbook, the artifact-level evidence that still exists, and the first containment and scoping decisions that matter most.
On May 26, 2026, the FBI issued FLASH-20260526-01, the second formal warning about SRG in twelve months and the first at FLASH severity, a classification reserved for active and ongoing threats requiring immediate attention. The new element is physical access. As of Spring 2026, when remote social engineering fails, SRG sends an operative into the target’s offices, posing as IT support, to connect a storage device to a workstation and leave with the data. No malware. No ransomware. No encryption. No EDR alert. Just a USB drive and a convincing story about “imaging the device to address potential phishing impacts.”
By the time most organizations realize something happened, they receive a ransom email threatening publication on SRG’s clearnet leak site, business-data-leaks[.]com, unless they pay between one and eight million dollars. More than 38 U.S. law firms have already had data published there after declining to pay. Researchers estimate the real attack count is above 100, and SRG reportedly told investigators that most victims pay. Published leaks may therefore represent only the visible minority.
From Conti to callback phishing to the front desk
SRG did not appear from nowhere. The group emerged in March 2022 from the collapse of the Conti ransomware syndicate, inheriting its experienced operators while abandoning encryption entirely. The founding operational model was callback phishing, technically called telephone-oriented attack delivery (TOAD): phishing emails claiming a subscription service was about to charge a small fee, with a phone number to call and cancel. On the other end was an SRG operative who guided the victim into installing a legitimate remote monitoring and management tool. No malicious payload, no macro, no exploit, just a persuaded human downloading software they thought was support.
That model worked well enough that the group ran it consistently through 2023 and 2024, building a track record specifically against U.S. law firms. By early 2025, they shifted from the subscription-lure emails to direct phone calls, now impersonating the target organization’s own IT department. The pretext became more urgent and more tailored: employees received unsolicited calls from someone claiming to be internal IT, directing them to open a remote desktop session for urgent maintenance. The tool roster remained the same: Zoho Assist, Quick Assist, AnyDesk, RustDesk, Syncro, Splashtop, Atera, all legitimate RMM platforms, none of which trigger an antivirus alert on their own.
In March 2025 alone, Luna Moth registered at least 37 domains through GoDaddy with domaincontrol.com nameservers, each spoofing a targeted organization’s IT helpdesk portal. The naming pattern was consistent: domains typically begin with the name of the targeted business followed by helpdesk or support terminology, giving them enough visual legitimacy to survive a quick glance.
The Spring 2026 escalation to physical presence is the next step in a deliberate progression. Each time an attack model attracts too much organizational awareness, SRG adds a layer. The subscription lure was replaced by direct vishing because employees started recognizing the emails. The vishing is now supplemented by in-person visits because some employees refuse to grant remote access to unscheduled callers. The pattern is still evolving.
A quick timeline helps frame the pattern. In 2022, SRG emerged from the post-Conti ecosystem and scaled callback phishing against U.S. organizations. Through 2023 and 2024, the group industrialized this model around legitimate RMM tooling and rapid exfiltration. In 2025, operators shifted toward direct vishing with IT impersonation and lookalike helpdesk domains. In Spring 2026, the FBI documented a physical fallback model: when remote social engineering fails, an operative shows up in person and uses removable media to copy data.
The attack chain in three phases
Understanding what SRG actually does in an intrusion matters for the DFIR practitioner because the evidence trail is shaped by a model designed specifically to avoid leaving one.
The initial contact phase begins with either a phishing email or a direct phone call. The email variant uses billing and subscription lures directing the recipient to call a number. The call variant skips straight to social engineering: an SRG operative phones an employee, identifies as IT support, and claims there is a security incident requiring immediate action. The pretext consistently involves urgency and a plausible technical framing: the firm may have been affected by a phishing campaign and the operative needs to “image the device or create a backup file.” Both variants lead to the same next step: the victim is directed to a URL or sent a link to download an RMM tool.
Once the RMM session is established, the operative assesses what is available. SRG is not focused on lateral movement, persistence, or long-term access of the kind that Lazarus uses RemotePE for. The objective is speed: find high-value data, compress it if needed, and exfiltrate it before the session ends. The usual tools are WinSCP (SFTP over port 22) and a hidden or renamed version of Rclone, a legitimate cloud synchronization tool that can push data to multiple cloud providers via authenticated APIs. The FBI FLASH also notes exfiltration to Microsoft OneDrive and Google Drive, sometimes using the victim’s own cloud credentials, which can make traffic appear legitimate in network logs.
When the remote access attempt fails, for instance when an employee grows suspicious, hangs up, or simply does not answer, the operative is dispatched in person. The cover story is the same: IT support, here to image the device. The physical operative connects an external USB drive or hard drive, copies data directly to removable media, and leaves. The FBI notes in its FLASH alert that gig workers may be recruited for this role, possibly unaware they are participating in a criminal operation.
Post-exfiltration, SRG escalates pressure by calling employees and clients of the victim organization directly, increasing reputational stakes before a ransom demand is even formally delivered.
Why law firms are the target and why it works
The selection of law firms as the primary target is not arbitrary. As Cynthia Kaiser of Halcyon explained, SRG has recognized something structurally specific about the legal sector: “They’re tailoring a lot of their operations around what they know about the sector.” Law firms hold attorney-client privileged communications, active litigation strategy, M&A documentation, and financial records for clients who are often themselves high-profile. The threat of that material becoming public, or reaching an adversary in active litigation, creates extortion leverage that cannot be fully neutralized by paying and cannot be easily quantified. A firm defending a corporate client in an ongoing merger case faces a fundamentally different calculus than a retail organization facing a data breach.
The extortion-without-encryption model amplifies this leverage. Conventional ransomware creates a technical hostage situation: pay and get the decryption key, refuse and your systems stay locked. SRG creates a reputational and legal hostage situation: pay and the data stays offline, refuse and the data is published. There is no technical fix, no recovery key, and no way to reverse the situation through IT expertise alone. The outcome depends on business, legal, and strategic decisions as much as technical response.
Industry reporting in late May 2026, including coverage citing Halcyon telemetry, indicates a sharp rise in extortion activity against law firms in Q1 and a broader increase in pressure operations against the legal sector. Totals vary by source and methodology, but the trend is consistent: legal organizations are targeted at scale because they combine high-value data with high-pressure disclosure risk. In parallel, INC Ransom, operating separately from SRG, claimed twenty law firms in 2026, with ten in a single 48-hour window. That clustering points to a possible upstream compromise in a shared legal technology provider, a scenario the legal sector has been slow to treat as systemic risk.
The most recent confirmed SRG victims include Orrick, Herrington & Sutcliffe (data posted publicly in January 2026 after the firm declined to pay), Jones Day, Wood Smith Henning & Berman (data leaked after countering SRG’s $1.8 million demand with an offer of $15,000), and Ropers Majeski (claim posted May 6, 2026). All of them are large, well-resourced firms with dedicated IT staff. The operative walked through the door anyway.
Forensics when there is nothing to hash
This is the part of the SRG story that is not getting enough attention in the coverage of the FLASH alert. The standard incident response playbook assumes there is something to analyze. A binary with a hash, a C2 domain to block, a process tree to trace, a registry key modified at a known timestamp. SRG’s model removes almost all of that. The FBI FLASH states it plainly: recent SRG campaigns left few artifacts on compromised machines, and traditional antivirus products are unlikely to flag the intrusion because SRG uses legitimate system management tools throughout.
Artifacts still exist, but the investigation requires a different set of questions.
For the remote access variant, the RMM tool installation itself is an artifact. Windows Prefetch files will record ANYDESK.EXE, ZOHOASSIST.EXE, or whatever tool was used, with a timestamp and execution count. The Shimcache and Amcache will contain entries for any executable run on the system, including portable versions of tools that were never installed. The browser download history will show where the RMM installer was obtained from, which URL the operative directed the victim to. Event ID 4688 (process creation, with command line logging enabled) will show the RMM process spawning. Event IDs 4624 and 4625 (logon events) will show the remote session itself.
For WinSCP, the tool writes a configuration and log file by default. The log path %APPDATA%\WinSCP\WinSCP.log records every connection, transferred file, and remote host. Even if the operative deleted the log, the MFT (Master File Table) will retain a record of the file’s creation and deletion timestamps. WinSCP also creates JumpList entries that survive independent of the application. The SFTP traffic itself goes out over port 22, which is detectable in perimeter firewall and proxy logs if logging is properly configured.
For Rclone, the challenge is that SRG uses renamed or hidden versions specifically to evade detection by name. A process running as svchost32.exe but making authenticated API connections to Google Drive or AWS S3 endpoints is anomalous and detectable if you are watching process-to-network mappings. Rclone by default also creates a log at the path specified in its configuration, and it writes to the Windows Application Event Log if run as a service. The configuration file, even if renamed, will contain OAuth tokens or API keys for the destination cloud provider, which are themselves IOCs if found on a workstation where no legitimate use of Rclone has been authorized.
For the physical USB variant, the Windows artifact set is specific and well-documented. Event ID 6416 in the Security log records every new external device recognized by the system, including vendor ID, product ID, and serial number. The USBSTOR registry key at HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR records every USB storage device ever connected, with first and last connection timestamps. The setupapi.dev.log file in C:\Windows\INF\ records device installation events with timestamps. Shellbags will record directory traversal on the connected drive if the operative browsed it through Explorer. The MFT timeline will show a mass access event, many files with accessed timestamps updated in a short window, which is the forensic signature of a bulk copy operation even when no exfiltration tool leaves its own artifacts.
For remote desktop sessions specifically, the RDP bitmap cache in %LOCALAPPDATA%\Microsoft\Terminal Server Client\Cache\ stores fragments of what was displayed during the session, which can be reconstructed to show what the operative was looking at. The event log entries for TerminalServices-LocalSessionManager will record session start and end times for any inbound RDP connection.
On a well-instrumented system, an SRG investigation is tractable. The challenge is that many of the artifacts above depend on endpoint logging that is not enabled by default, perimeter logs that are not retained long enough, or physical access controls that were never implemented. In many cases, investigations fail not because evidence never existed, but because organizations were not set up to capture and preserve it.
What to do in the first 4 hours
If SRG activity is suspected, the first objective is to preserve evidence while limiting additional data loss. Isolate affected endpoints from the network without powering them off, then collect volatile and triage artifacts before broad containment changes overwrite useful telemetry. Pull endpoint process and connection logs, Security event logs, Prefetch, JumpLists, browser history, and USB artifacts from priority systems. In parallel, preserve VPN, proxy, firewall, cloud audit, badge, and CCTV data for the same time window under legal hold.
The second objective is correlation and scoping. Build a minute-by-minute timeline covering calls to employees, remote session start times, suspicious process execution, unusual SFTP or cloud API traffic, and physical visitor entry records. Check whether cloud storage accounts show anomalous uploads and whether removable storage serial numbers appear across multiple hosts. Escalate early to legal counsel, privacy, and executive leadership, because extortion pressure can start before technical scoping is complete.
The third objective is decision readiness. Prepare two parallel tracks: one for technical containment and one for extortion response governance. Even when no malware is present, treat the incident as an active data theft event with possible client-notification, regulatory, and privilege implications.
IOCs, detection rules, and the FBI’s MITRE ATT&CK mapping
The FBI FLASH-20260526-01 provides the following indicators of compromise, reproduced here from the official document (TLP:CLEAR):
Tools and software: unauthorized downloads of Zoho Assist, Quick Assist, AnyDesk, RustDesk, Syncro, Splashtop, or Atera; WinSCP or Rclone connections to external IP addresses; unauthorized installation of external drives or USB devices on company computers.
Network indicators: exfiltration to Microsoft OneDrive, Google Drive, or external servers; SFTP connections over port 22 from workstations where no authorized use exists; outbound connections to cloud sync API endpoints from processes with unexpected names.
Infrastructure: business-data-leaks[.]com (SRG public leak site); helpdesk-spoofing domains registered on GoDaddy with domaincontrol.com nameservers, following the naming pattern [target-company-name]-helpdesk.* or [target-company-name]-support.*.
Human indicators: unidentified individuals on premises claiming to be IT support; employees receiving unsolicited calls from someone claiming to be internal IT; phishing emails referencing subscription charges with a phone number to call.
The FBI’s MITRE ATT&CK mapping for SRG covers: T1566 (Phishing, Initial Access), T1598.004 (Voice Phishing), T1219 (Remote Access Software, Execution), T1078 (Valid Accounts), T1560 (Archive Collected Data), T1530 (Data from Cloud Storage), T1567 (Exfiltration Over Web Service), T1052.001 (Exfiltration to Removable Media, the new physical vector), and T1657 (Financial Theft/Extortion).
The following Sigma rules cover the highest-value detection opportunities.
title: SRG - unauthorized RMM tool installation
id: f3a29c17-8b4e-4d91-a103-e85c2f7d9b14
status: experimental
description: >
Detects installation or execution of remote monitoring and management tools
commonly used by Silent Ransom Group (Luna Moth/UNC3753) for initial access.
These tools are legitimate products; fire only in environments where they
are not part of the authorized software estate.
references:
- https://www.ic3.gov/CSA/2026/260526.pdf
author: Based on FBI FLASH-20260526-01
date: 2026/05/28
tags:
- attack.execution
- attack.t1219
- attack.initial_access
- attack.t1566
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith:
- '\AnyDesk.exe'
- '\Splashtop.exe'
- '\atera_agent.exe'
- '\SyncroSetup.exe'
- '\ZohoAssist.exe'
- '\QuickAssist.exe'
- '\RustDesk.exe'
filter_authorized:
# Exclude processes spawned by your authorized deployment mechanism
# e.g. your endpoint management solution, SCCM, Intune
ParentImage|endswith:
- '\msiexec.exe'
- '\MicrosoftEdgeUpdate.exe'
condition: selection and not filter_authorized
falsepositives:
- Authorized IT support sessions (correlate with ticketing system)
- Software deployment pipelines that use these tools legitimately
level: high
---
title: SRG - Rclone or WinSCP data exfiltration to external destination
id: a7d83e52-1c4f-4b67-b921-d39c7e2a5f08
status: experimental
description: >
Detects WinSCP or Rclone (including renamed binaries) making connections
to external IP addresses or known cloud storage endpoints, consistent
with SRG data exfiltration behaviour documented in FBI FLASH-20260526-01.
references:
- https://www.ic3.gov/CSA/2026/260526.pdf
author: Based on FBI FLASH-20260526-01
date: 2026/05/28
tags:
- attack.exfiltration
- attack.t1567
- attack.t1048
logsource:
product: windows
category: network_connection
detection:
selection_named:
Image|endswith:
- '\WinSCP.exe'
- '\rclone.exe'
Initiated: 'true'
DestinationPort:
- 22
- 443
selection_cloud_endpoints:
# Rclone renamed; detect by destination regardless of process name
DestinationHostname|contains:
- 'drive.googleapis.com'
- 'graph.microsoft.com'
- 'onedrive.live.com'
- 's3.amazonaws.com'
- 'dropbox.com'
- 'mega.nz'
Initiated: 'true'
filter_known_processes:
Image|endswith:
- '\OneDrive.exe'
- '\googledrivesync.exe'
- '\GoogleDriveFS.exe'
- '\brave.exe'
- '\chrome.exe'
- '\msedge.exe'
- '\firefox.exe'
condition: (selection_named or selection_cloud_endpoints) and not filter_known_processes
falsepositives:
- Authorized backup solutions using SFTP
- Legitimate cloud sync tools not covered by the filter
level: high
---
title: SRG - USB storage device connected to sensitive workstation
id: c9b14f73-5d2e-4a8c-b832-f47d1e6c9a25
status: experimental
description: >
Detects connection of an external USB storage device, consistent with
the in-person physical intrusion tactic documented by the FBI for SRG
(FLASH-20260526-01). Intended for workstations holding privileged or
sensitive data where USB storage should not be connected.
references:
- https://www.ic3.gov/CSA/2026/260526.pdf
author: Based on FBI FLASH-20260526-01
date: 2026/05/28
tags:
- attack.exfiltration
- attack.t1052.001
logsource:
product: windows
service: security
detection:
selection:
EventID: 6416
ClassName: 'DiskDrive'
filter_known_devices:
# Optional: exclude known authorized device serial numbers via allowlist
DeviceInstanceId|startswith: 'USBSTOR\DISK&'
condition: selection
falsepositives:
- Authorized USB storage (maintain an allowlist of approved device serial numbers)
- IT equipment deployments
level: medium
---
title: SRG - mass file access consistent with bulk copy operation
id: d2e95b14-7c3a-4f82-a01b-8d59f3e4c726
status: experimental
description: >
Detects high-volume file open/read events from a single process in a
short time window, consistent with bulk data staging prior to exfiltration.
Intended as a supplementary rule; correlate with network exfiltration detections.
references:
- https://www.ic3.gov/CSA/2026/260526.pdf
author: Based on FBI FLASH-20260526-01
date: 2026/05/28
tags:
- attack.collection
- attack.t1560
logsource:
product: windows
service: security
detection:
selection:
EventID: 4663
ObjectType: 'File'
AccessMask: '0x1' # FILE_READ_DATA
condition: selection | count(ObjectName) by SubjectLogonId > 500
timeframe: 5m
falsepositives:
- Authorized backup operations
- Antivirus full-system scans
- Indexing services
level: medium
For YARA-based hunting of Rclone binaries that have been renamed to evade detection:
rule SRG_Rclone_Renamed {
meta:
description = "Detects Rclone binaries renamed to evade detection, as used by Silent Ransom Group"
author = "Based on FBI FLASH-20260526-01"
reference = "https://www.ic3.gov/CSA/2026/260526.pdf"
tlp = "WHITE"
strings:
// Rclone version string pattern
$rclone_version = "rclone/" ascii wide
// Rclone config file handling
$rclone_config = "rclone.conf" ascii wide nocase
// Rclone internal string present in most builds
$rclone_str1 = "github.com/rclone/rclone" ascii
// Rclone help text fragment
$rclone_str2 = "--config string" ascii wide
// Cloud provider backend strings common to Rclone
$rclone_drive = "drive" ascii
$rclone_s3 = "s3" ascii
$rclone_onedrive = "onedrive" ascii
condition:
uint16(0) == 0x5A4D // MZ header
and filesize < 100MB
and (
$rclone_version or
$rclone_config or
$rclone_str1 or
(
$rclone_str2 and
2 of ($rclone_drive, $rclone_s3, $rclone_onedrive)
)
)
and not filename matches /rclone\.exe/i
}
Together, the Sigma rules above and the YARA rule for renamed Rclone provide coverage for both remote and physical variants of this attack chain. The FBI’s caveat remains critical: these tools are not malicious by default and should be attributed to SRG only with supporting analytical evidence. WinSCP and Rclone are used legitimately by many organizations. Treat these rules as hunting logic, not automated kill signals. Any hit requires analyst review, correlation with human indicators (unexpected IT calls, unscheduled visitors), and timeline context.
One final point for legal-sector post-incident briefings: the FBI is requesting surveillance video and photos of individuals posing as IT support. Physical intrusion creates evidence that digital forensics alone cannot provide, including camera footage, visitor logs, badge access records, and witness accounts. These physical security and OSINT artifacts are often overlooked during fast digital triage, yet in SRG cases they can be among the most valuable evidence.