While SRG has historically targeted other sectors such as medical and insurance organizations, beginning in Spring 2023, the group has consistently targeted U.S.-based law firms and organizations with “similar naming conventions,” the FBI said, “likely due to the highly sensitive nature of legal industry data.” The group has been operating since 2022 and is primarily known for callback phishing emails, aka reverse vishing, where the group pretends to be well-known companies purporting to charge small subscription fees. If the victim wishes to cancel the fake subscription, they must call the threat actor, who emails the victim a link to download remote access software to gain access to their device or system. Once they’ve established access, the threat group will search for sensitive data to exfiltrate and then send a ransom notice to the victim threatening to release the data if the ransom is not paid. Beginning in March 2025, the group changed tactics by calling individuals and claiming to be an employee from their organization’s IT department, known as social engineering calls or vishing, short for “voice phishing.” The threat actor then tries to get the employee to join a remote access session. If the employee grants access to their device, “they are told that work needs to be done overnight,” the FBI said. “Once in the victim’s device, a typical SRG attack involves minimal privilege escalation and quickly pivots to data exfiltration conducted through ‘WinSCP’ (Windows Secure Copy) or a hidden or renamed version of ‘Rclone,’” the FBI advisory said.

‍