Cybersecurity researchers and US federal authorities have warned that a ransomware-linked criminal group is increasingly combining digital attacks with physical infiltration, including sending individuals posing as information technology workers to gain access to victims’ offices and computer systems.

In a report published on June 5, Google’s cybersecurity units, Mandiant and Google Threat Intelligence Group, said the group known as the “Silent Ransom Group” had targeted dozens of organisations between January and May, primarily focusing on law firms and other professional services organisations.

According to the report, the group has used a combination of phishing emails, social engineering tactics and telephone calls to impersonate corporate IT support staff. In some cases, however, the operation extended beyond online deception, with individuals reportedly visiting victims’ offices in person while posing as technical support personnel.

Google said the imposters were able to access employees’ computers directly, using USB storage devices or facilitating remote connections that allowed other members of the group to extract sensitive information. The stolen data reportedly included contracts, financial records, tax documents and personal information.

The warning follows an alert issued by the FBI last month, which described a series of attacks in which criminals impersonated IT support workers to gain access to company systems. 

Unlike traditional ransomware attacks, which typically involve encrypting a victim’s systems and demanding payment for their restoration, the Silent Ransom Group appears to rely primarily on data theft and extortion. According to researchers, the group threatens to publish stolen information on a dedicated leak site if organisations refuse to pay.

Google said the attackers often build trust by claiming to be responding to security concerns or assisting with corporate technology projects. Victims are then encouraged to join screen-sharing sessions or install remote access software, allowing the attackers to bypass security controls and gain entry to internal systems.