Silent Ransom Group Is Walking Into Law Firms — And EDR Can't See It

On Tuesday May 26, 2026, the FBI's Internet Crime Complaint Center published FLASH-20260526-01, a TLP:CLEAR alert with a sentence most incident-response leads in the legal sector had to read twice: "If that attempt fails, SRG sends a threat actor to the victim's location to gain access to insert a storage device into the victim's computer."

The "SRG" is the Silent Ransom Group — also tracked as Luna Moth, Chatty Spider, UNC3753, and Storm-0252. They have been hitting US law firms since spring 2023, and the FLASH alert is the federal acknowledgement that the kill chain has now graduated past social engineering into physical premises infiltration. As of publication, 38+ firms have data posted on their clearnet leak site business-data-leaks[.]com, and researchers tracking the group put the total compromised count above 100 — with activity sharply higher in the first months of 2026. In January 2026 Orrick, Herrington & Sutcliffe — a firm with 25+ global offices and more than $1.5B in annual revenue — became the most public name on the list after declining to pay.

This article is about what the FLASH alert actually means for endpoint, identity, and network defenses — and why the legal sector is now in the awkward position of having to detect an attack whose entire premise is that no detection mechanism it has bought in the last decade is looking at the right thing.

The new kill chain: callback, RDP, then a person

The FBI's TTP description is short enough that it is worth reading whole. The chain has three stages:

1. Callback phishing or direct call. SRG operators send a phishing email or place a phone call posing as the victim's own IT support. The pretexts that surface most often are subscription-charge disputes, an urgent security update, or follow-up on an internal phishing-awareness test. The aim is to get the user on the phone with the attacker.
2. Remote desktop pivot. Once on the phone, the operator walks the user through opening a remote-control session — Zoho Assist, AnyDesk, Splashtop, ScreenConnect, whichever the firm's actual help desk uses. From inside the session, the attacker stages data with native tooling: WinSCP for file transfer, and Rclone in renamed binaries for cloud sync to Google Drive or OneDrive tenants the attacker controls.
3. Physical fallback. If the user gets suspicious, hangs up, or the firm's help-desk policy blocks the remote tool, the campaign does not end. A person travels to the firm's office. They present at reception as IT support — sometimes referencing the earlier phone call as the cover — and either talk a junior staffer into letting them sit at a workstation or get to one unattended. A USB stick goes in. Files come off.

No ransomware payload. No encryption stage. No malware to flag. The FBI flash explicitly describes the post-compromise toolchain as legitimate remote access software and removable media — which is the same toolchain a real help desk uses. The forensic surface is, deliberately, almost empty.

What this breaks in the standard stack

Most law firms — even mid-market firms with revenue north of $100M — bought a "modern" security stack between 2019 and 2024 that looks roughly like this: an EDR sensor on every endpoint, an identity provider with MFA on Microsoft 365, a CASB watching SaaS usage, an MDR vendor reading the EDR telemetry overnight. That stack defends extremely well against signatured malware and known-bad lateral-movement patterns. It is structurally blind to what SRG actually does.

Walk through the chain again with the defender's view:

Layer	What it watches	What SRG does
EDR / AV	Process tree, binary signatures, memory	Signed remote-control software the help desk already runs
Identity / MFA	Authentication anomaly, impossible travel	Real user, real session, attacker piggybacks via screen share
CASB / DLP	SaaS upload to unsanctioned tenants	OneDrive / Google Drive — both sanctioned for the firm; tenant attribution is brittle
EDR USB policy	Mass-storage class block	If unblocked, a "legit" technician's stick reads as expected hardware
MDR overnight review	EDR alerts from last 24h	No alerts to review

This is the gap the FBI alert is pointing at without naming it. Every control above passes the audit. None of them sees the campaign. Help Net Security's coverage of the flash quoted the Bureau's guidance almost reluctantly — verify anyone claiming to be from internal IT before granting remote or physical access — because the technical recommendations the FBI usually issues do not really apply when the attacker never deploys a payload.

"We had MFA, we had Defender, we had a 24/7 SOC. The attacker had a phone and a USB stick. The forensic timeline starts at the extortion email."

— paraphrase of how multiple firms have described the post-incident reconstruction to incident counsel during the spring 2026 wave

What is still detectable: the wire

The thing SRG cannot make invisible is the network. A workstation in a litigator's office has a traffic baseline. It pulls down email, talks to the document management system, talks to e-discovery vendors, syncs OneDrive, hits the bar association portal, occasionally talks to Lexis or Westlaw. Egress volume on a normal day is small and chunky. The endpoints that historically uploaded almost nothing now have to push gigabytes outbound in a session.

Three signals reliably survive every SRG tradecraft choice:

• Volume inversion. A workstation whose 30-day baseline shows 95th-percentile outbound at ~50 MB/day suddenly sustains hundreds of MB/min for the length of a remote-control session, or while a USB-attached process is reading the file server. The signal is not the absolute number — it is the shape change. Deep-learning models trained on per-host PCAP sequences pick this up while it is happening, not in tomorrow's SIEM digest.
• Destination novelty. Rclone to attacker-controlled OneDrive or Google Drive still terminates at Microsoft / Google IPs — but the specific tenant identifier in the TLS SNI and JA4 fingerprint, the OAuth refresh pattern, and the chunked upload cadence are visibly different from the firm's own tenant. JA4 + SNI + ASN clustering separates "our staff using our OneDrive" from "our staff using someone else's OneDrive" even when both endpoints look like *.sharepoint.com. Renamed Rclone binaries do not hide the protocol-level chunking and concurrency profile.
• RDP-tool anomalies. Even sanctioned remote tools (Zoho Assist, AnyDesk, ScreenConnect) have characteristic relay-server destinations and session-lifetime distributions. A session of unusual length, against a relay that the firm has never spoken to before, originating in a non-help-desk subnet, is a four-out-of-five-times true positive.

None of these requires decrypting TLS. None requires endpoint cooperation. They are observable from a SPAN port — which is exactly the wire-surface most firms have stopped instrumenting because the EDR / CASB layer was supposed to cover it. The FBI's public alert wording ("minimal forensic artifacts behind") is precisely a statement that the host-side is barren and the network-side is where the evidence lives.

The sector-specific stakes

There is a reason SRG narrowed onto law firms — and is now, per the FLASH, expanding into insurance, finance, and healthcare. Legal practices are an information-asymmetric target: a single firm's document store can contain M&A diligence, executive personal data, pending litigation strategy, regulator-confidential filings, and protected health information from medical-malpractice files, all in one place. The extortion lever is not the firm — it is the firm's clients.

That extortion math has compliance consequences that compound the breach:

• Bar duty to safeguard. In the US, ABA Model Rule 1.6(c) requires lawyers to "make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client." Multiple state bars have issued formal opinions (e.g., ABA Formal Opinion 483) describing what "reasonable" looks like after an incident. "We had EDR but no traffic visibility" is going to be a harder line to defend in front of a disciplinary committee in 2026 than it was in 2020.
• GDPR Article 33 / 34. EU-facing firms with European clients still owe a 72-hour notification to a supervisory authority on personal-data breach, and notification to data subjects when the risk is high. Italian firms additionally answer to the Codice Deontologico Forense duty of confidentiality, which is professional-discipline territory, not just regulatory.
• Derivative NIS2 / DORA exposure. Law firms are not directly in scope for NIS2 or DORA, but their clients are — and the contractual cascade through "third-party ICT risk" clauses now means a DORA-regulated bank's outside counsel is on the hook to its client for the same incident-reporting clocks the bank is on the hook for.

For the firm, this is a reputational problem. For the firm's clients, it is a compliance problem. The breach posture you can defend in front of three different audiences — the bar, the regulator, the client's GC — depends on having continuous, time-stamped, tamper-evident evidence that you saw the egress while it was happening and acted on it.

Where Zero Hunt fits this scenario

Two things have to work simultaneously for a firm to credibly defend against an SRG-style campaign: detection at the wire and evidence that holds up after the fact.

On the wire. Zero Hunt's AI Traffic Analysis pillar is a proprietary deep-learning model with four parallel inference heads — suspicious traffic, malware classification, attack-type identification, and application fingerprinting — running on the on-prem appliance GPU at a 2.7+ Gbit/s baseline. It is trained on billions of PCAP sequences to do exactly the volume-shape, destination-novelty, and session-anomaly inference described above. It does not need TLS decryption, does not need endpoint agents to opine, and runs against an in-progress session, not against last night's logs. The Marimo CVE-2026-39987 case Sysdig disclosed on May 29 was a different attacker but the same detection class: an authenticated session moving data out faster than its baseline allows. The Silent Ransom Group sessions look the same to the model — RDP screen share with abnormally sustained outbound, then a cloud-storage chunking signature against a never-seen tenant. A SOC sees the signal at minute three, not at the extortion email three weeks later.

For the evidence chain. Zero Hunt's automatic compliance pillar maps every observed anomaly, every alerted session, and every remediation action against 32 frameworks — ABA-aligned safeguards, GDPR Art. 33, NIS2 Title 13 incident reporting, DORA incident classification, ISO 27001 controls — with ECDSA-signed bundles per finding and per scan. The Trust Center exports an auditor-ready evidence pack with chain-of-custody by construction, which is the artifact a managing partner needs in front of a bar disciplinary panel, in front of a 72-hour DPA notification, and in front of a client GC's outside-counsel-incident-review clause. The point of the signing is not the cryptography — it is that the evidence cannot be quietly tidied up after the fact.

Neither of these claims is that SRG's USB trip is "prevented." Nothing prevents a person presenting as IT from sitting at a desk. The argument is that the firm sees the campaign while it is happening, has an evidence pack that survives a deposition, and the extortion email is no longer the first sign of the breach. That is the gap the FBI FLASH-20260526-01 is actually describing. The rest is how the legal sector closes it.