No Malware, No Alerts, Just a USB Drive in Your Office

SOC Prime Team

No Malware, No Alerts, Just a USB Drive in Your Office

Detection stack

AIDR
Alert
ETL
Query

Threat Report
Attack Flow
Detections
Simulations

Summary

The Silent Ransom Group (SRG) has shifted away from conventional ransomware and now favors a physical data-theft model that relies on legitimate remote monitoring tools or USB devices to steal information from US law firms. The group typically reaches victims through phishing emails or vishing calls, then deploys trusted RMM software and exfiltrates data through cloud platforms or removable media before issuing extortion demands through a public leak site.

Investigation

Investigators focus on forensic evidence such as traces of RMM executables, WinSCP or Rclone logs, USB connection records, and cloud-service network traffic instead of relying on malware hashes. The FBI FLASH alert emphasizes the absence of traditional malicious binaries and lists indicators including process names, cloud endpoints, and the public extortion site used by the group.

Mitigation

Organizations should enforce strict allow-listing for remote monitoring and management tools, monitor process-to-network relationships for unusual cloud API traffic, enable detailed USB device logging, and block communication with known exfiltration services. Ongoing user awareness training around phishing and vishing remains an important defensive measure.

Response

If this activity is detected, isolate the impacted system, collect volatile logs, stop suspicious processes and related network sessions, verify whether USB devices were used, and coordinate with legal and executive teams on extortion response. Physical security records such as badge access logs and video footage should also be preserved to help identify unauthorized on-site activity.

"graph TB %% Class Definitions classDef technique fill:#99ccff classDef tool fill:#ffcc99 %% Nodes initial_access["Technique – T1566 Phishing & T1598.004 Vishing Description: Deceptive email with subscription lure or phone call to obtain credentials"] class initial_access technique tool_rmm["Tool – Name: AnyDesk / Zoho Assist Technique: T1219 Remote Access Software"] class tool_rmm tool tech_valid_accounts["Technique – T1078 Valid Accounts Description: Use legitimate credentials to establish a remote session"] class tech_valid_accounts technique tech_archive["Technique – T1560.001 Archive via Utility Description: Compress or archive collected data before exfiltration"] class tech_archive technique tool_transfer["Tool – Name: WinSCP / Rclone Techniques: T1537 Transfer Data to Cloud Account, T1567.002 Exfiltration to Cloud Storage"] class tool_transfer tool tech_cloud_transfer["Technique – T1537 Transfer Data to Cloud Account Description: Move data to a cloud account controlled by the adversary"] class tech_cloud_transfer technique tech_exfil_cloud["Technique – T1567.002 Exfiltration to Cloud Storage Description: Upload data to cloud storage via web services"] class tech_exfil_cloud technique tech_removable_media["Technique – T1052.001 Exfiltration to Removable Media Description: Physical operative copies data to USB or other removable media"] class tech_removable_media technique %% Connections initial_access –>|uses| tool_rmm tool_rmm –>|enables| tech_valid_accounts tech_valid_accounts –>|leads_to| tech_archive tech_archive –>|uses| tool_transfer tool_transfer –>|executes| tech_cloud_transfer tech_cloud_transfer –>|leads_to| tech_exfil_cloud tech_exfil_cloud –>|fallback| tech_removable_media "

Attack Flow

Attack Narrative & Commands

An operator of the Silent Ransom Group has obtained a stolen credential for a privileged domain account. Using those credentials, they remotely log onto a victim workstation via RDP. Their goal is to install AnyDesk (a legitimate RMM tool) to maintain persistent remote access. To avoid detection by common software‑deployment pipelines, they launch the binary directly from PowerShell, ensuring the parent process is powershell.exe, which is not in the rule’s filter_authorized list. This exact sequence produces a process‑creation event that matches the rule’s selection (executable ends with AnyDesk.exe) and fails the filter_authorized check, thereby generating an alert.

Regression Test Script

# -------------------------------------------------
# Silent Ransom Group – RMM Tool Execution Test
# -------------------------------------------------
# Simulate attacker launching AnyDesk.exe without a whitelisted parent

# 1. Define path to the RMM binary (adjust if installed elsewhere)
$anyDeskPath = "C:Program Files (x86)AnyDeskAnyDesk.exe"

# 2. Verify the binary exists
if (-Not (Test-Path $anyDeskPath)) {
    Write-Error "AnyDesk.exe not found at $anyDeskPath. Place the binary or adjust the path."
    exit 1
}

# 3. Launch AnyDesk.exe from PowerShell (parent = powershell.exe)
Start-Process -FilePath $anyDeskPath -WindowStyle Hidden

Write-Output "AnyDesk launched – detection should fire if rule is active."
# -------------------------------------------------
# End of script
# -------------------------------------------------

Cleanup Commands

# Terminate any lingering AnyDesk processes created by the test
Get-Process -Name "AnyDesk" -ErrorAction SilentlyContinue | Stop-Process -Force

# Optionally remove the test binary if it was placed solely for this simulation
# Remove-Item -Path "C:Program Files (x86)AnyDeskAnyDesk.exe" -Force

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free