FBI FLASH: Silent Ransom Group (Luna Moth/UNC3753) Escalates to Physical In-Person USB Intrusions at U.S. Law Firms; 38+ Firms Leaked

The FBI issued its first FLASH-severity alert on SRG (May 26, 2026), warning that the Russia-linked extortion group has escalated from callback phishing to physically dispatching operatives to law firm offices posing as IT support, where they insert USB/external drives directly into employee workstations to exfiltrate data. SRG deploys no ransomware or malware — attacks leave minimal EDR artifacts and traditional AV will not fire — making detection nearly impossible until a ransom email arrives threatening publication on business-data-leaks[.]com. Data from more than 38 firms including Orrick Herrington, Jones Day, and Ropers Majeski has already been published, with Halcyon tracking 134 legal-sector ransomware incidents in Q1 2026 alone.

SRG deploys no ransomware or malware — attacks leave minimal EDR artifacts and traditional AV will not fire — making detection nearly impossible until a ransom email arrives threatening publication on business-data-leaks[.]com.

This intelligence brief has been compiled from open-source reporting and corroborated across multiple threat intelligence sources. Defenders should treat the critical severity rating as a guide to prioritization within their environment.

For the latest indicators of compromise, formatted SIEM queries, and unredacted actor intelligence related to this brief, DMZ Operator subscribers receive automated IOC packages via email the moment new advisories are published.