These groups are posing as IT technicians remotely and in person, Mandiant and Google Threat Intelligence Group wrote in a Friday blog post.
In remote campaigns, the groups start out by contacting employees with emails about data migration or invoices and then use those communications as a pretext to initiate phone conversations while posing as IT support. In these calls, they convince targets to host screen-sharing sessions and download remote management and monitoring utilities.
In physical campaigns, the groups send individuals who pose as IT technicians, enter corporate offices and try to steal data by using USB storage media.
Once they gain access by either of these methods, the groups steal proprietary legal agreements, personally identifiable information, financial records and other highly sensitive data. They then initiate ransom negotiations while threatening to release the stolen data publicly.
Between January and May, the data theft extortion groups targeted dozens of organizations with these kinds of attacks, per the post.
The FBI reported in May that it has seen a group called Silent Ransom Group (SRG) conduct data theft and extortion operations since at least 2022 and pose as IT department employees since spring 2026.
“While SRG has victimized companies in many sectors including those in the insurance, finance and healthcare industries, the group has consistently targeted U.S.-based law firms since Spring 2023,” the FBI said in a May 26 cyber intelligence publication.
Mandiant and Google Threat Intelligence Group said in their Friday blog post that organizations can mitigate the threat of these kinds of attacks by educating employees about this threat; verifying the identities of all external contractors, technical staff and visitors; implementing remote access conditional access controls; enforcing strict controls on remote management and monitoring utilities and screen-sharing software; disabling read/write capabilities for all external USB mass storage devices; monitoring networks; and auditing authentication and access metrics.
“Organizations must transition to a unified security posture that treats physical facility access control and endpoint-based hardware policies as equal components of their defensive perimeter,” the post said.