TL;DR: On May 26, 2026, the FBI issued FLASH-20260526-01, warning that the Silent Ransom Group (also tracked as Luna Moth, Chatty Spider, and UNC3753) has escalated beyond email and phone phishing to physical in-person intrusions, with operatives walking into offices posing as IT support and plugging in USB drives. Over 100 firms have been victimized and 38+ have had data published on the group's leak site. The threat is framed around US law firms, but the playbook works against any North Carolina SMB that holds sensitive client data, including accounting practices, engineering firms, healthcare offices, and construction back-offices across the Piedmont Triad.
Key takeaway: Silent Ransom Group deploys no malware and no encryption, so traditional endpoint defenses cannot see the attack. The control that stops them is a written, drilled visitor and IT-impersonation policy combined with managed monitoring of data egress, executed by people the front desk has actually met.
Worried someone could walk into your High Point office tomorrow claiming to be from IT? Preferred Data Corporation can run a same-week physical and social-engineering readiness review and stand up a visitor verification policy. Call (336) 886-3282 or contact PDC's NC cybersecurity team.
What is the Silent Ransom Group and why is the FBI warning about it now?
Silent Ransom Group (SRG) is a financially motivated extortion crew tracked under multiple names, including Luna Moth, Chatty Spider, and UNC3753, that steals sensitive client data and extorts the victim, with no ransomware encryption involved. Per BleepingComputer's coverage of the FLASH alert, the May 26, 2026 FBI notice is the second alert in 12 months and the first to escalate to FLASH severity, reflecting in-person intrusion tradecraft that earlier warnings did not describe.
Three facts make this alert different:
- Scale. Over 100 firms have been victimized, and at least 38 have had data published on SRG's leak site, per Help Net Security's writeup of the FBI notice.
- Sector concentration. The legal sector absorbed 134 ransomware incidents in Q1 2026, ranking as the 4th-most targeted industry at over 6% of all attacks, per Dark Reading's analysis.
- Public failure cases. Tech Times reports that Orrick, Herrington & Sutcliffe, a global firm with $1.5B in annual revenue, had data published in January 2026 after refusing payment, while Weil Gotshal reportedly paid double-digit millions to resolve a separate incident.
For North Carolina SMBs, the lesson is not "we are not a law firm, we are safe." The lesson is the tactic has been operationally validated against well-resourced targets, and a 30-person Greensboro accounting practice or High Point engineering office is a softer target with the same kind of client data SRG monetizes.
How does an in-person Silent Ransom Group attack actually unfold?
It blends a phone or email pretext with a same-week walk-in, often using a brand-name spoof of the victim's real IT or MSP. Per the FBI's FLASH-20260526-01 advisory and the American Hospital Association's TLP:CLEAR republication, the operational pattern looks like this:
- Recon. Public org charts, LinkedIn, and the firm's own "Our IT partner" press releases are used to identify the real MSP, the executive assistants, and the office address.
- Pretext. A phone call or email primes the front desk and a target executive: "A technician will stop by this afternoon to check a network issue."
- Walk-in. An operative arrives during business hours wearing branded apparel or a printed badge, asks for the named executive or a workroom, and is escorted past the perimeter.
- Hands-on access. A USB device is plugged into an accessible workstation, a thumb drive is left on a desk, or a "diagnostic" laptop is connected to a port.
- Exfiltration. Sensitive client data is copied off, often staged in a cloud account the firm does not own.
- Extortion. Days or weeks later, a ransom demand arrives with proof-of-data samples. Non-payers are listed on SRG's leak site.
Because the group deploys no malware and no encryption, the attack is largely invisible to endpoint detection and response (EDR) tooling that watches for encryption or known malicious binaries. The detection layer that matters is data egress monitoring, identity and session anomalies, and physical-access discipline.
Why are traditional cybersecurity tools blind to this attack?
Because there is nothing for them to convict on. SRG's tradecraft is human social engineering plus legitimate-looking data movement, not malware. A signature-based AV product has nothing to match. A behavior-based EDR will not flag a logged-in user copying files. A perimeter firewall will not block an HTTPS upload to a consumer cloud service the user is "authorized" to reach.
The defenses that do work share a pattern: they validate trust before access is granted (visitor verification, identity controls) and they monitor what gets removed once access exists (data loss prevention, cloud egress alerting, anomalous-session detection). That mix is exactly what a managed cybersecurity program brings to an SMB that cannot staff it in-house.
| SRG attack technique | Red flag the SMB can train for | Defense action |
|---|---|---|
| Phone pretext from "your MSP" | Unscheduled visit, unfamiliar voice, urgency | Callback verification to a known MSP number, never the number the caller gives |
| Walk-in with branded apparel/badge | No prior calendar entry, no PO, no ticket number | Mandatory visitor log + ticket-number match + escort by name |
| USB device plugged into workstation | Any USB storage device, ever | USB mass-storage blocked by Group Policy / endpoint control |
| "Diagnostic" laptop on the network | Unknown MAC requesting DHCP | 802.1X / NAC, switch ports default-disabled |
| Bulk file copy by valid user | Volume, off-hours, or unusual destination | DLP / CASB alerting and cloud egress monitoring |
| Exfil to unsanctioned cloud account | Connections to consumer file-share domains | Egress allow-list + alerting on disallowed file-share domains |
| Extortion email weeks later | Ransom demand referencing real internal documents | Pre-drafted incident response plan, legal counsel on retainer |
| Leak-site post if non-payment | Public listing of firm name and sample files | Continuous dark-web and leak-site monitoring |
Quotable definition: An in-person IT impersonation attack is a social-engineering intrusion in which an operative physically enters a target's office while pretending to be an authorized technician, then uses an authorized-looking session to exfiltrate sensitive data. Because no malware is deployed, the attack defeats endpoint security and must be stopped at the human, identity, and data-egress layers.
What should a North Carolina SMB do this week to defend against SRG?
Stand up a written visitor and IT-impersonation policy, train the front desk to use it, and turn on data-egress monitoring. Most NC small businesses can complete the first three controls below in under a week.
- Publish a one-page visitor and IT verification SOP. No technician enters without a scheduled ticket, a callback to a known PDC or in-house IT number (never the number provided by the caller), and an escort. Post it at reception.
- Block USB mass storage by default. Endpoint policy disables removable storage for all standard users; exceptions are ticketed and time-limited.
- Turn on cloud egress alerting. Microsoft 365, Google Workspace, and your firewall can alert on anomalous file-share uploads. Configure thresholds and route alerts to a 24/7 inbox someone actually reads.
- Brief every executive assistant. SRG targets the EA as the gatekeeper. The EA must know the words "I will call your IT provider back at the number on our contract" and be empowered to use them without escalation.
- Run a 20-minute tabletop. Simulate the walk-in. Who challenges the visitor? Who calls the MSP? Who locks the workstation? Document the answer.
- Add identity anomaly detection. Enforce MFA everywhere, alert on impossible-travel and new-device sign-ins, and short-session admin accounts. CISA's MFA guidance notes MFA blocks 99.9% of automated account-takeover attempts, which closes the secondary pivot SRG often attempts after physical entry.
Need this stood up before the next visitor walks in? Call (336) 886-3282 or request a same-week SRG readiness review. PDC's team can be on-site anywhere within 200 miles of High Point.
Which North Carolina industries are most exposed beyond law firms?
Any NC SMB that holds regulated or commercially sensitive client data on behalf of others is in the threat model. The FBI flagged law firms because that is where the operational pattern was observed, but the economics of SRG's tradecraft apply equally to:
- Accounting and tax practices across the Piedmont Triad, Charlotte, Raleigh, Greensboro, and Winston-Salem, holding W-2s, K-1s, and SSNs at scale.
- Engineering and architecture firms with confidential bid documents, CAD files, and client IP.
- Healthcare practices holding PHI subject to HIPAA breach reporting and OCR penalties.
- Construction back-offices with insurance certificates, bonding paperwork, and subcontractor PII.
- Manufacturing front offices with customer contracts, pricing, and supply-chain documents.
- M&A advisory and wealth management with deal documents, account numbers, and beneficiary data.
If your business would suffer reputational, contractual, or regulatory harm from a client-data leak, you are inside SRG's monetization model.
How does Preferred Data Corporation harden a NC SMB against this threat?
PDC pairs a managed cybersecurity stack with the on-site, in-person work this threat actually requires, all delivered from our High Point headquarters at 1208 Eastchester Drive, Suite 131. For 37+ years (founded 1987), PDC has supported NC small businesses across the Piedmont Triad and on-site within 200 miles of High Point, including Charlotte, Greensboro, Raleigh, and Winston-Salem.
What that looks like in practice:
- A written visitor and IT-impersonation SOP, customized to the office layout and front-desk workflow.
- USB and removable-storage controls enforced via endpoint policy, with ticketed exception handling.
- Data-egress and cloud-anomaly monitoring tied to a 24/7 alert channel.
- Identity hardening with TOTP MFA, conditional access, and admin session controls.
- A pre-drafted incident response plan with named contacts and decision rights, tested in a 60-minute tabletop.
- Continuous dark-web and leak-site monitoring for your domain and brand.
PDC delivers this work through managed cybersecurity, managed IT services, and backup and disaster recovery.
Don't wait to see your firm on a leak site. Call (336) 886-3282 or contact Preferred Data Corporation to schedule a Silent Ransom Group readiness review for your NC office.
Frequently Asked Questions
Is the FBI FLASH-20260526-01 alert public?
Yes. The full advisory is published by the FBI Internet Crime Complaint Center, and TLP:CLEAR republications are available from the American Hospital Association and major security news outlets. FLASH advisories are intended for distribution to private-sector defenders, and the May 26, 2026 notice is the second SRG-related FBI warning in 12 months but the first to reach FLASH severity.
My business is not a law firm. Why should I worry?
Because the attack technique is sector-agnostic. SRG monetizes sensitive client data, not a specific industry, and Help Net Security notes the same playbook has been observed against other professional services. Any NC SMB holding PII, PHI, financial records, or confidential client documents is a viable target.
Will EDR or antivirus catch this attack?
Usually not. SRG deploys no malware and no encryption, so signature-based and behavior-based endpoint tools have little to convict on, per the FBI advisory. The detection layer that works is data-egress monitoring, identity anomaly detection, and physical-access discipline, not the EDR agent.
What is the single most important control to add this week?
A written, posted visitor and IT-impersonation SOP that requires a callback to a known IT number before any technician is admitted, plus USB mass-storage blocking. Those two controls together close the most common SRG entry path described in the FBI alert.
How long does it take to stand up SRG-grade defenses?
For a typical 10 to 100 employee NC small business, PDC can stand up the visitor SOP, USB controls, MFA, and egress alerting within 1 to 2 weeks, and complete a full incident response tabletop in the following 30 days. The first 5 days deliver the largest risk reduction.
What should I do if I think SRG has already targeted my firm?
Treat any ransom email referencing real internal documents as confirmed exfiltration. Engage legal counsel, preserve logs, isolate suspect accounts, and contact PDC at (336) 886-3282 for incident response support. Do not pay or respond directly without counsel; Dark Reading and Tech Times both note that paying does not prevent leak-site posting in every case.
Does cyber insurance cover this kind of attack?
Generally yes, if your controls match what you attested to on the application. Carriers in 2026 are reviewing physical and social-engineering controls more closely, so an SMB with no documented visitor policy may face coverage questions. Align controls now, document them, and brief your broker before renewal.
Related Resources
- Managed Cybersecurity Services for NC Businesses - Identity, egress, and incident response
- Managed IT Services for NC Businesses - Endpoint policy, USB controls, patching
- Backup and Disaster Recovery - Immutable, tested, ready when extortion hits
- Cyber Insurance Application Rejection: 41% SMB Readiness Guide - Renewal-ready controls
- Contact Preferred Data Corporation - Same-week SRG readiness review for NC offices