Fake IT Workers Are Now Showing Up in Person: The Silent Ransom Group Escalation and How to Stop It

For most of the last decade, "the IT person is the attacker" meant a phone call or an email. The Silent Ransom Group built a profitable business doing exactly that: call an employee, claim to be IT support, manufacture a security problem, and talk them into granting remote access. We covered that version of the attack when the FBI first warned about it, in the Silent Ransom Group post. This week's warning from Google's Mandiant and Google Threat Intelligence Group, alongside the FBI, marks a genuinely new and more brazen chapter: the fake IT worker is no longer just on the phone. He is walking through your front door.

According to the reporting, the group has begun sending impostors posing as IT support staff into victims' physical offices, where they steal data directly, copying it onto USB drives or installing remote-access tools on machines they are given access to. Mandiant's CTO Charles Carmakal summarized the broader trend bluntly: investigators have seen adversaries "planted insiders, bribed employees, or physically entered buildings." The FBI confirmed "multiple instances of individuals impersonating IT support who have gained or attempted to gain physical access." This is social engineering crossing into the physical world, and it sidesteps almost every technical control a small business has bought.

What's new: from the phone to the front desk

The earlier campaigns were entirely remote. Someone called or emailed, built rapport and urgency, and steered the employee to a screen-sharing session on Zoom or Microsoft Teams to "fix" something, all of which gave the attacker hands on the system without ever leaving their own desk. That playbook still runs, and the in-person version typically starts the same way: a phishing email, a phone call, or some other social-engineering pretext that establishes the attacker as your IT support.

The escalation is the last step. Instead of, or in addition to, a remote session, a person shows up at the office, presents themselves as the IT technician there to "address a security issue" or "help with a data migration," and is shown to a computer. From there the theft is fast and low-tech: a USB drive copies files, or a remote-access tool is quietly installed so the data can be pulled later. There is no exotic malware to detect and no firewall to breach, because a human being held the door open.

It is data theft, not encryption — and that changes everything

The most important thing to understand about this group is that it does not encrypt your files. Classic ransomware scrambles your data and sells you the key, which is why a tested backup is your escape hatch. The Silent Ransom Group skips encryption entirely. It steals copies of your most sensitive information, the reporting cites contracts, Social Security numbers, financial records, and tax documents, and then extorts you with the threat of publishing it on a leak site. One sample threat from the group puts it plainly: "In case of ignorance or no agreement, we will notify your employees, partners and customers."

This is why I keep telling owners that their backups, as essential as they are, will not save them here. A backup lets you restore data you have lost. It does nothing about data that has already been copied out the door and is sitting on a criminal's server. You cannot restore your way out of a leak. Backups remain critical for the encryption-style attacks that still dominate, covered in the backup and disaster recovery post, but against pure data-theft extortion the only winning move is to prevent the theft. Prevention, not recovery, is the whole game.

Why this works: IT is the one stranger we are trained to trust

Every other unfamiliar person who asks for access to your systems trips an alarm. The "IT support" persona is the exception, because we are conditioned to cooperate with IT, to hand over the keyboard, approve the prompt, and not ask too many questions when someone official-sounding says there is a security problem to fix. The attack weaponizes that conditioning. It runs on three levers, the same three behind most successful social engineering:

• Authority. "I'm from IT" carries implied permission that few employees feel comfortable challenging.
• Urgency. A security incident or a deadline-driven migration that "has to be handled now" short-circuits the instinct to verify.
• Surprise. An unexpected call or an unannounced arrival gives the target no time to think or check.

The in-person version adds the powerful social pressure of a real human standing in front of you, which is far harder to refuse than a voice on the phone. It is the same family of attack as the Microsoft Teams help-desk impersonation we wrote about, just with the attacker physically present.

Not just law firms

Law firms have borne the brunt, with dozens hit between January and May 2026, because they concentrate exactly what the group wants: privileged client data, sensitive financial information, and a strong incentive to make a quiet payment rather than face a public leak. The detailed law-firm guidance is in the professional services IT post. But the technique is industry-agnostic. It targets people and process, and every business has both.

On the Central Coast, the same exposure sits in medical and dental practices, accounting and tax firms, property management offices, and any business holding customer financial or personal records. If you hold data worth ransoming and you employ humans who can be talked into something, you are a candidate. The reassuring corollary is that the defenses are also industry-agnostic: the controls below work the same whether you are a five-person CPA office in Salinas or a property management company in Santa Cruz.

The controls that actually stop this

Because the attack targets people and procedure, the defense is mostly people and procedure, reinforced by a few technical guardrails. None of this is expensive; most of it is discipline.

• Out-of-band verification, as an ironclad rule. Nobody claiming to be IT, by phone, email, or in person, gets access until the contact is confirmed through a channel you already trust: a call to your real IT provider on the number you have on file, never a number the stranger supplies. This single habit defeats the entire attack.
• A "verify first" culture. Every employee needs explicit, repeated permission to pause and check, with zero fear of looking difficult. Attackers exploit politeness; remove the social cost of saying no. This is the core of the security-awareness training in our cybersecurity program.
• Visitor control and escort policy. Sign visitors in, and never leave an outsider alone with a computer or anywhere they can plug a device in. An escorted visitor cannot quietly insert a USB drive.
• USB and removable-media control. Block or tightly restrict USB mass storage on company machines so a stranger with a thumb drive cannot copy data even if they reach a keyboard.
• No unsanctioned remote-access tools. Maintain and enforce a list of the remote-support tools your IT provider actually uses, and block the rest. If a "technician" wants to install something unfamiliar, that is the tell.
• Least privilege. Limit what any single account, and therefore any single compromised session, can reach. The less a deceived employee's login can touch, the less an attacker can steal. See the identity hardening post.
• MFA on everything, with fatigue awareness. Strong, phishing-resistant authentication limits what a stolen session yields, and trained staff resist approving prompts they did not initiate, as covered in the MFA fatigue post.
• Data-egress monitoring. Managed detection that flags unusual bulk data movement gives you a chance to catch a theft in progress, the backstop behind the managed IT layer.

What to do right now if you think you have been contacted

• Do not grant access, install anything, or start a screen-share. Stop at the request.
• Verify independently. Call your real IT provider or internal IT contact on a known number and confirm whether the visit or call is legitimate. We are reachable at (831) 204-0501.
• If it cannot be confirmed, treat it as an attack. Deny access, and if someone is physically on site, do not let them near a machine; ask them to leave and document everything.
• Preserve and report. Note names, times, numbers, and any tools mentioned, and report to your IT provider and, where appropriate, the FBI's IC3.
• If access was already granted, disconnect the affected machine from the network, change credentials, and call for incident response immediately. Speed limits the damage.

Where this fits

• The earlier FBI Silent Ransom Group warning, for the original remote-callback version of this attack.
• The Teams help-desk impersonation post, for the same social-engineering pattern in a chat tool.
• The cybersecurity service page and the 10 essentials, for the full control set.
• The identity hardening and MFA fatigue posts, for limiting what a deceived login can do.
• The backup and DR post, for the attacks where backups are the answer, and a reminder of why they are not the answer here.
• The professional services IT post, for the law, CPA, and advisory firms hit hardest by this group.

We help small businesses across Salinas, Monterey, Santa Cruz, Watsonville, and San Jose, and the rest of the Central Coast build the verification habits and technical guardrails that stop attacks like this one.

FAQs about the Silent Ransom Group's in-person attacks

What is the Silent Ransom Group?

The Silent Ransom Group, also tracked under the name Luna Moth, is a financially motivated extortion gang that has been the subject of FBI and Google Mandiant warnings in 2026. Rather than breaking in through malware, the group relies on social engineering: its members pose as IT support staff to talk their way into a victim's systems, steal sensitive data, and then extort the organization by threatening to publish that data on a leak site. The group is notable for attacking the human and procedural side of security rather than the technical perimeter, which is exactly why traditional defenses often miss it.

How is this different from normal ransomware?

Traditional ransomware encrypts your files and demands payment for the decryption key, so a good backup is your way out. The Silent Ransom Group does not encrypt anything. It steals copies of your sensitive data, contracts, Social Security numbers, financial records, tax documents, and threatens to publish it or notify your clients, partners, and employees unless you pay. That is pure data-theft extortion, and it changes the defense entirely: backups restore data you lost, but they do nothing about data that has been copied out the door. The only real protection is preventing the theft in the first place.

Someone from "IT" we didn't recognize called or showed up. What should staff do?

Stop, and verify through a known channel before doing anything they ask. Do not grant remote access, do not install software, do not start a screen-share, and do not let an unannounced visitor near a computer or plug anything in. Politely take their name and company, then independently call your actual IT provider or internal IT contact using the number you already have on file, never a number the visitor or caller gives you. A legitimate IT visit is always scheduled and announced through a channel you trust. If the contact cannot be confirmed, treat it as an attack: deny access, document what happened, and report it. No real technician will be offended by a verification call; an impostor will pressure you to skip it.

We're not a law firm. Are we still a target?

Yes. Law firms have been hit hardest because they hold concentrated, sensitive client data and have strong incentives to pay quietly, but the technique works against any organization that holds data worth ransoming and has staff who can be socially engineered, which is every organization. Medical and dental practices, accounting and tax firms, property management companies, and any business holding customer financial or personal records have the same exposure. The attack targets people and process, not an industry, so the controls that stop it, verification habits, physical access discipline, least privilege, and device control, apply to every small business.

Will our backups protect us from this attack?

No, and this is the dangerous misconception. Backups protect you from data loss, ransomware encryption, hardware failure, accidental deletion, by letting you restore a clean copy. They do nothing about a data-theft extortion attack, because the criminals are not destroying your data, they are copying it and threatening to publish it. You cannot restore your way out of a leak. This does not mean backups are unimportant; they remain essential for the encryption-style attacks that still dominate. It means backups are the wrong tool for this specific threat, and the right tools are the preventive controls that stop data from being stolen at all.

How do we tell a real IT visit from an impostor?

The single reliable test is out-of-band verification, confirming the visit or call through a channel you already trust rather than one the stranger provides. A legitimate IT engagement is scheduled in advance, the people are named ahead of time, and your known IT contact can confirm it when you call the number you have on file. Impostors rely on surprise, urgency, and authority: an unexpected arrival, a pressing security issue that must be fixed right now, and an air of official authority that discourages questions. Build a simple rule everyone follows, no unscheduled IT access without a confirmation call to our real provider, and the attack loses its footing. Pair that with a visitor sign-in process and an escort policy so no outsider is ever alone with a computer.

Prefer to talk first? Email sales@ghosxt.com or call (831) 204-0501.