3 min read

The FBI Is Warning Law Firms: Criminals Are Now Walking Through Your Front Door

The FBI warns Silent Ransom Group is physically entering law firms to steal data. Louisville legal professionals need to act now.
Share
The FBI Is Warning Law Firms: Criminals Are Now Walking Through Your Front Door
Photo by David Trinks / Unsplash

Law firms in Louisville and across Southern Indiana handle some of the most sensitive information that exists — client communications protected by privilege, financial records, case strategy, personal details that can never be made public. That's exactly why they're a target.

The FBI just issued a warning that should get every legal professional's attention: a criminal group called Silent Ransom Group has started physically entering law firm offices — posing as IT staff — to steal data directly from devices. They're not just hacking in remotely. They're walking through your front door.

Here's what happened, how it works, and what your firm should do.

Who Silent Ransom Group Is

Silent Ransom Group has been operating since 2022. They specialize in extortion — stealing sensitive data and threatening to publish it unless they're paid. Law firms are their preferred target, specifically because of the value and sensitivity of legal records.

Their tactics have always been aggressive. What's new is the physical component.

How the Attack Works

The attack happens in two stages.

The first is remote. Attackers impersonate IT support via phone call, text, or email — convincing an employee that there's a problem with their account or device that needs to be addressed right away. The employee is guided into granting remote desktop access. Classic social engineering, and it works more often than most firms want to admit.

When that doesn't work — or when they want more access — they escalate to the physical phase. Operatives visit the office in person, dressed and equipped to pass as IT technicians. They tell whoever answers that they need to "image the device" or "run a backup" to assess a problem. While they appear to be helping, they're copying files onto a USB drive.

Once they have the data, the extortion begins.

Why Law Firms Are the Primary Target

The FBI was direct: law firms are targeted "due to the highly sensitive nature of legal industry data." Client files, privileged communications, case documents, financial records — this material has value both as leverage and on the open criminal market.

High-profile firms like Jones Day have already been hit. But smaller firms are not exempt. In many ways, smaller firms are easier targets: they often have less rigorous visitor screening, smaller IT teams (or no dedicated IT at all), and employees who aren't trained to question someone who shows up looking official.

What This Means for Your Firm

This attack works because it exploits two things most organizations take for granted: trust in authority figures, and physical access to devices.

Your employees are trained — by habit if not by policy — to help people who say they're from IT. That's a reasonable instinct in most contexts. But it's also exactly what these attackers count on.

The physical access piece matters separately. A USB drive connected to a device for two minutes can copy hundreds of files. If sensitive data isn't behind additional controls — encrypted at rest, access-restricted, logged — physical access to a device is effectively access to the data.

What to Do

These are concrete steps every law firm should take.

Verify every visitor. Anyone entering the office who claims to be there for IT work should be verified before they're allowed near any device. Call your actual IT provider to confirm they sent someone. A legitimate technician will not object to this.

Disable USB ports on sensitive devices. If a device shouldn't have external drives connected to it, block it at the hardware or policy level. This applies especially to devices that handle client files or privileged communications.

Train your team on callback phishing. The remote phase of this attack — where someone calls or texts claiming to be IT support — is often the entry point. Employees should know that legitimate IT providers don't cold-call asking for remote access. They should have a direct number to call back and verify.

Limit access to sensitive data. Not every employee needs access to every client file. Role-based access controls reduce the blast radius if credentials are compromised or a device is physically accessed.

Implement phishing-resistant MFA. Standard text-message MFA can be bypassed. Modern phishing-resistant options — like hardware keys or app-based authenticators with number matching — are significantly harder to defeat.

The Uncomfortable Truth

Most law firms, especially smaller ones, assume their IT situation is "good enough." They have antivirus. Maybe they have MFA on email. They've never had an incident, so the risk feels distant.

Silent Ransom Group is counting on that assumption. They've breached firms that felt the same way.

The question worth asking isn't "have we been attacked?" It's "if someone walked into our office tomorrow claiming to be from IT, would anyone stop them?"

Find Out Where You Stand

A free automated M365 Security Assessment gives you a clear picture of how your firm's Microsoft environment is configured — email security, device controls, access policies, and more. It takes about ten minutes and gives you a straightforward readout of what's protected and what isn't.

Run yours at audit.blackbirditsolutions.com.

Published by:

Matthew Williams