The Google Threat Intelligence Group (GTIG) on June 5 released a report detailing how UNC3753, better known as the Silent Ransom Group (SRG), has been targeting dozens of U.S.-based organizations across professional, legal and financial services.GTIG reported that SRG has attacked these U.S. organizations via vishing and social engineering to obtain a remote desktop access session for the purposes of data exfiltration.What made the case different and unsettling was that if an attempt at access failed over the phone, SRG would send a threat actor to the victim’s location to insert a storage device in to the victim’s computers.Prior to Mandiant’s report, the FBI issued a May 26 advisory on these techniques, adding that in the case of an attack where the threat actor was present, the threat actor tells the victim they need to image the device or create a backup file to address potential impacts from the phishing email.Kevin Surace, chair at TokenCore, said UNC3753 is dangerous because it blends trust abuse with physical presence. Surace said a fake IT call is often effective, but when someone physically shows up in the office claiming to be support, employees often treat the request as legitimate.“That collapses the boundary between cyber security and physical security, which is where many organizations still have major gaps,” said Surace.Surace said organizations must stop using authentication methods that can be talked out of an employee: no IT support process should depend on a user sharing a code, approving a prompt, resetting a password, or granting remote access based on a phone call. Surace said biometrics offer a better model because there’s no code to steal, no push prompt to approve, and no reusable credential an attacker can capture through vishing.“We need to tie every IT visit to a preapproved work order, verified through an independent internal channel, and escorted from entry to exit,” said Surace. “Badges, uniforms, vendor names, and confident language are not proof-of-identity. Sensitive areas like server rooms should require strong identity verification, least-privilege access, camera coverage, and a strict rule that no unknown person touches an endpoint, plugs in a device, or accesses infrastructure without security's approval.”Waseem Ahmed, head of engineering at Secure.com, explained that SGR is a Conti offshoot now running pure data-theft extortion. Ahmed said what's new, and what the FBI warned about last month, is they're showing up in person, posing as IT techs to pull files onto a USB drive, so it’s not only a vishing/phone problem. “The through-line is the same,” said Ahmed. “They don't break in, they get invited. A worried employee, primed by an invoice email and a calm voice claiming to be IT, makes a trust decision in seconds and gets it wrong. Teams beat this by verifying any IT request through a second known channel and making remote access a two-person step.”Jacob Krell, senior director, secure AI solutions and cybersecurity at Suzu Labs, said when encryption stops generating revenue, attackers pivot to what backups cannot fix: stolen data already in someone else's hands. “UNC3753 made that exact shift," said Krell. "They deployed ransomware in 2022, Dropped it. Now, they steal documents, threaten to publish, and demand payment. The 2026 Verizon DBIR backs this up: 69% of ransomware victims refuse to pay. Mandiant tracked cases where UNC3753 went from first phone call to stolen data in under an hour, using only legitimate tools like Zoom and AnyDesk. When the call fails, the FBI confirmed they send someone to the office with a USB drive.”Krell pointed out that the strongest defense is a callback policy: if someone calls claiming that they work for IT support, the employee needs to hang up and call IT through a known internal number. “That single step breaks the attack chain regardless of how real the voice sounds,” said Krell. “Beyond that, block unauthorized remote access tools from running on company machines. If AnyDesk or Zoho Assist are not on the approved list, they should not be able to run. For the physical threat, verify every technician visit against a scheduled work order before anyone gets near a machine.”
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds