On May 26, 2026 the FBI issued a formal advisory telling US law firms exactly how a specific criminal group is robbing them. Most firm owners will never read the original. This is the advisory in plain English, and the part no government document covers, which is how the loss reads against your insurance.
The answer
The FBI says a group called Silent Ransom is targeting law firms by posing as IT support, by phone, by email, and now in person, stealing files without any ransomware and extorting firms with the threat of publication. The countermeasures are procedural, and the financial backstop is a cyber policy read against this exact loss.
The advisory names the Silent Ransom Group, a criminal operation also tracked as Luna Moth, Chatty Spider, and UNC3753, and states that it has consistently targeted US law firms since spring 2023. The method is impersonation. The actors pose as the firm's own IT department, either calling employees directly or sending phishing emails urging the employee to call them, then talk the employee into granting a remote desktop session.
Then comes the line that made me read the advisory twice. If the remote approach fails, the FBI says, the group sends a person to the firm's office, posing as IT support, who tells the victim they need to image the device or create a backup, and inserts a storage device into the computer. The con now has a body. It walks past the front desk carrying a clipboard's worth of confidence, and it works for the same reason the phone call works. It looks exactly like help.
The warning is not about software. It is about who your people believe.
Here is the detail that separates this from the cyberattacks most owners picture. Nothing gets encrypted. No screens go red. The FBI notes the group seeks rapid access, immediate data theft, and extortion through the threat of publishing or selling the files, using ordinary tools like WinSCP, Rclone, and cloud drives that antivirus software has no reason to flag. The advisory says recent campaigns left few artifacts on compromised machines.
Practically, that means your systems can keep running normally while your client files walk out the door, and the first unambiguous sign of the breach can be the extortion email itself. The group then applies pressure the old fashioned way, calling the firm's own employees and clients to force a negotiation, and maintaining a public site where it posts data from firms that refuse.
For a law firm, the leverage is obvious and the FBI says it plainly. The files are privileged, the exposure is reputational and regulatory, and the criminals price their demand accordingly.
The advisory closes with recommendations. Stripped of the technical phrasing, they fit a Houston firm's Monday morning meeting.
If you want the scheme itself narrated start to finish, the reporting on how these intrusions unfold in a single business day is at from first call to stolen files, and the June attacks that put this advisory in the headlines are covered at the fake IT call hitting America’s law firms.
Now the part the advisory cannot tell you. A data theft with no ransomware leans on different parts of a cyber policy than the shutdown scenario most policies get bought for. The heavy lifting here comes from breach response and forensics, breach counsel and client notification, cyber extortion coverage, and privacy and regulatory defense. Business interruption, the coverage part built for downtime, may barely engage in an attack where your systems never stop running. Whether your policy's sublimits match that shape is a document question, and it is readable this week at law firm cyber insurance.
One more detail worth acting on. Bloomberg Law has reported that some of these groups look for a firm's cyber insurance policy during the intrusion and set the ransom demand at the policy limits. Treat your policy documents with the same confidentiality as client files. Your limits belong to you, your broker, and your counsel, and nobody else.
None of this is a reason for fear. It is a reason for a procedure, a policy read against this exact loss, and a team that knows both exist. That is a solvable Monday, and the full coordinated program lives at Houston law firm insurance.
The FBI wrote the warning. Your policy decides whether it becomes a story or a loss.
Charles McDade, LUTCF, Founder, McDade Insurance Brokerage Group
This article uses public source material from the FBI's May 2026 advisory and Bloomberg Law.
The purpose is to help you act on the advisory rather than file it. The FBI describes the scheme and the countermeasures. How the loss would land on your firm is answered by your policy's parts and sublimits, which is exactly what the review reads.
A criminal operation, also tracked as Luna Moth, Chatty Spider, and UNC3753, that the FBI says has consistently targeted US law firms since spring 2023. The group poses as IT support to gain access, steals data using ordinary tools rather than malware, skips encryption entirely, and extorts firms by threatening to publish or sell the stolen files, including pressuring employees and clients directly.
Hang up and call back on a number your firm already controls, never a number the caller provides. For physical visits, require photo ID and a scheduled work order before anyone touches a machine. The FBI's advisory recommends firms adopt exactly these verification habits, and a written policy makes them automatic instead of situational.
A well structured policy can. Cyber extortion coverage responds to the demand, while breach response, notification, and privacy and regulatory coverage carry the investigation and its duties. The nuance is that business interruption coverage may barely engage when systems never go down, so the sublimits on the other parts matter more in this loss than in the classic shutdown scenario. That is a document review, not a guess.
Keep them confidential. Bloomberg Law has reported that some extortion groups look for a firm's cyber policy during an intrusion and demand the policy limits as ransom. Your limits should be known to you, your broker, and your counsel. About 40 percent of the time we tell clients to stay with their current carrier because that is the right answer, but every client should know exactly what their limits are and who else might.
Send us the cyber policy you carry today. We will read its parts against this exact loss, extortion without ransomware, and show you in plain English where it holds and where it thins. If it holds up, you will hear exactly that.
Commercial reviews route to our commercial desk and follow your calendar, not ours. Local broker. National infrastructure.