SNACK Quick Summary
- Google’s Mandiant/GTIG teams and the FBI both escalated warnings about Silent Ransom Group. The attackers pose as IT support, abuse phone calls and phishing, and steal data through remote access or in-person office visits.
- The most alarming detail is official confirmation that fake IT workers may show up physically and plug in USB storage when remote tricks are not enough.
- For everyday digital life, the practical lesson is not abstract cyber jargon but identity checks, callback rules and tighter control over remote tools and external drives.
Snackgirls editor note
Red: “This is no longer just a suspicious email story. It is a someone-at-the-door security story.”
AIKO: “The report matters because it combines social engineering, legitimate remote tools and physical access into one fast theft workflow.”
Kirari: “The habit to build is simple: if support appears out of nowhere, call back through an official channel first.”
The latest Google and FBI guidance is more serious than a generic ransomware headline. The attack pattern starts with fake IT support, moves into screen sharing or remote management tools, and can escalate into a real person trying to touch a machine in the office.
How the intrusion works
Google says the group uses invoice, migration and security-issue pretexts to start calls and phishing exchanges. Once a target is engaged, the attackers push for screen sharing, remote monitoring tools and direct access to sensitive files.
The FBI flash names tools such as Zoho Assist, Quick Assist, AnyDesk, RustDesk, Syncro, Splashtop and Atera. The point is not that every remote tool is malicious by itself, but that unexpected installation requests must be verified before anything is approved.
Why this warning is unusually strong
Google says the campaign hit dozens of organizations in professional, legal and financial services from January through May 2026. In some cases, the full sequence from first contact to exfiltration and extortion happened within a single business day, sometimes in under an hour.
The FBI document goes further by describing incidents where an attacker came to the office and attempted to use a USB device or external drive directly on a victim machine. That turns a remote-support scam into a workplace access problem as well.
What should change right now
The FBI recommends verifying visitor credentials, defining how real IT staff authenticate themselves, training employees for phishing resistance, maintaining backups and requiring phishing-resistant MFA wherever possible. Sensitive systems should also limit remote access and external-drive permissions when feasible.
Translated into normal daily practice, the rule is clear: never trust surprise support at face value. Call back through the company directory, confirm the ticket through an official channel and stop any unscheduled request for screen sharing, remote control or USB insertion until that check is complete.
Sources and checked date: Checked on 2026-06-07 KST
Leave a comment