FBI Advisory: Law Firms Must Block USB Ports to Thwart Silent Ransom Group’s In‑Person Data Theft

FBI Advisory – Silent Ransom Group (SRG) In‑Person USB Theft

Regulatory action: The Federal Bureau of Investigation issued a public advisory on 27 May 2026 warning that the Silent Ransom Group, an extortion‑focused cybercrime gang active since 2022, is now entering law‑firm offices and stealing data with USB thumb drives.

What it requires:

1. Physical port lockdown – All organization‑issued computers that store or process confidential client information must have USB ports disabled or physically blocked.
2. Credential verification for on‑site personnel – Anyone who walks into a firm claiming to be IT support must be vetted through a pre‑approved visitor‑management system before being granted access to any workstation.
3. Network hardening – Block outbound SSH (port 22) on corporate firewalls to prevent the use of encrypted remote‑access tools such as WinSCP or Rclone.
4. Multi‑factor authentication (MFA) – Deploy phishing‑resistant MFA (e.g., hardware tokens or FIDO2 keys) for all privileged accounts and for any service that can access client data, including Microsoft 365, Google Workspace, and internal file‑sharing platforms.
5. Staff awareness training – Conduct quarterly simulated‑phishing and physical‑security drills that cover:
   • Recognising social‑engineering cues (e.g., unsolicited “IT support” calls or visits).
   • Refusing to plug in any external media, even when presented as a “backup” or “imaging” device.
   • Reporting suspicious visitors or calls to the security team immediately.
6. Incident‑response preparation – Ensure the incident‑response plan includes procedures for:
   • Isolating compromised workstations.
   • Collecting forensic copies of USB devices for law‑enforcement hand‑over.
   • Notifying affected clients in accordance with applicable professional‑responsibility rules (e.g., ABA Model Rules of Professional Conduct).

Compliance timeline:

• By 30 June 2026 – Implement USB‑port disablement on all laptops, desktops, and workstations handling privileged client data. Document the configuration change in the firm’s asset‑management system.
• By 31 July 2026 – Deploy a visitor‑management solution that requires pre‑registration, photo ID verification, and badge issuance for any external IT personnel. Integrate the system with the firm’s access‑control logs.
• By 31 August 2026 – Complete network firewall rule updates to block outbound port 22 traffic from all internal subnets that do not require legitimate SSH access. Maintain a change‑control record for audit purposes.
• By 30 September 2026 – Roll out MFA upgrades to cover 100 % of privileged accounts and any cloud services storing client data. Verify enrollment through the identity‑provider’s reporting dashboard.
• Quarterly thereafter – Conduct mandatory security‑awareness sessions for all staff, with a specific module on “Impersonation of IT Support” and the risks of USB‑based data exfiltration.

Why the advisory matters for law firms

Law firms handle highly sensitive information—client contracts, litigation strategies, and personal data—making them prime extortion targets. SRG’s shift from purely remote “callback phishing” to physical intrusion raises the threat level because a single copied file can be leveraged for a multi‑million‑dollar demand on a firm’s reputation and client trust.

Technical details of SRG’s USB theft

• Method: An impostor arrives, claims to need to “image” the victim’s machine, and plugs a pre‑loaded thumb drive. The drive runs a hidden script that copies recent Office documents, PDFs, and email archives to the device.
• Tools: The script often uses built‑in Windows commands (robocopy, powershell) to avoid detection. In some cases, a lightweight file‑exfiltration utility such as a modified version of Rclone is executed from the USB.
• Data handling: Stolen files are later uploaded to SRG’s data‑leak site (DLS) and encrypted with a ransomware‑style lock, even though the group does not deploy ransomware on the victim’s network.

Practical steps for immediate mitigation

1. Physical USB control – Purchase port blockers (e.g., epoxy caps) or enable BIOS/UEFI settings that disable external storage. Record the serial numbers of approved devices.
2. Visitor verification workflow – Require a signed work order from the firm’s IT department before any external technician is allowed to connect hardware. Use a two‑person verification process at the reception desk.
3. Log and monitor USB activity – Deploy endpoint‑detection‑and‑response (EDR) solutions that generate alerts when a new removable device is mounted. Tools such as Microsoft Defender for Endpoint or CrowdStrike Falcon can enforce policy‑based blocking.
4. Secure remote‑access pathways – Replace generic remote‑desktop tools with Zero‑Trust Network Access (ZTNA) solutions that grant time‑limited, device‑bound sessions.
5. Report to the FBI – Forward any suspicious phone numbers, call recordings, or USB device identifiers to the FBI’s Internet Crime Complaint Center (IC3) at https://www.ic3.gov.

Bottom line

The FBI’s advisory signals a clear escalation in SRG’s tactics. By treating external storage as a high‑risk vector, enforcing strict visitor controls, and hardening remote‑access pathways, law firms can meet the advisory’s requirements and protect client confidentiality. Failure to act promptly could result in data exposure, extortion payments, and severe professional‑ethics consequences.

References

• FBI Cyber Crime Advisory – Silent Ransom Group, 27 May 2026.
• Microsoft Defender for Endpoint – Removable Media Control documentation.
• ABA Model Rules of Professional Conduct – Confidentiality obligations.