The FBI and Google confirmed Silent Ransom Group is sending fake IT workers in person to law firms with USB exfiltration. MIT's latest data shows 95% of enterprise GenAI pilots still fail — concentrated in procurement-led, top-down rollouts.

When Hackers Show Up in Person , AI Rollouts Hitting Enterpr

The FBI and Google warned that the Silent Ransom Group is sending fake IT workers in person to law firms' offices. Separately, MIT's Project NANDA confirmed the 95% enterprise AI pilot failure rate is holding, and the reasons are organizational, not technical.

What You Need to Know: On June 5, 2026, Google and the FBI jointly warned that Silent Ransom Group (also known as Luna Moth, Chatty Spider, UNC3753) has been sending fake IT support personnel in person to law firm offices to steal data directly from computers using USB drives and remote-access tools. Separately, MIT's Project NANDA "GenAI Divide" report holds that 95% of enterprise GenAI pilots fail to deliver tangible business value, with the failure pattern concentrated in back-office, procurement-led deployments.

Why It Matters

For physical security teams: A ransomware crew showing up in person is a paradigm shift. Visitor management and helpdesk identity verification are now a CISO problem, not a facilities problem.
For enterprise AI buyers: The 95% failure number hasn't moved in a year, and the most cited cause is "the model isn't the bottleneck" — buying, change management, and workflow integration are.
For law firms in particular: The FBI alert names Silent Ransom Group as targeting law firms with both phishing and in-person social engineering, with campaigns running January through May 2026.
For IT and HR: A vendor asking for in-person access to a workstation is now a red flag, not a routine request.

What Actually Happened

Silent Ransom Group has been showing up in person at US law firms

On May 26, 2026, the FBI's Internet Crime Complaint Center (IC3) published a private industry notification warning that Silent Ransom Group — also tracked as Luna Moth, Chatty Spider, and UNC3753 — is targeting US law firms using social engineering. On June 5, 2026, Google's Mandiant and Google Threat Intelligence Group published a follow-up report covering the in-person tactic. The pattern: adversaries pose as IT support staff, sometimes calling in advance to build credibility, sometimes arriving in person at the office. In person, they connect to employees' computers and use USB drives or remote-access tools to exfiltrate data including contracts, Social Security numbers, and financial and tax records. The group uses pure data extortion — no encryption — and operates a leak site that publishes stolen data on a deadline. Sources: TechCrunch — Google and FBI warn of ransomware group that sends fake IT workers in person, FBI IC3 Cyber Alert (PDF), Florida Bar News coverage, FBI PDF alert.

The attack chain: phone, then optional in-person follow-up

The typical Silent Ransom attack starts with a phone call to the target's helpdesk, with the caller claiming to be from corporate IT and asking the target to join a screen-sharing session — frequently over Zoom or Microsoft Teams — to address a security issue or to help with a "corporate data migration project." In some cases, the attack escalates to an in-person visit: a fake IT worker shows up at the office, plugs in a USB drive, and either exfiltrates data directly or hands off remote access to other crew members. The FBI confirmed to TechCrunch that "we have seen multiple instances of individuals impersonating IT support who have gained or attempted to gain physical in-person access to victim companies' offices and/or devices." Mandiant CTO Charles Carmakal added: "Mandiant has investigated various matters where adversaries planted insiders, bribed employees, or physically entered buildings to facilitate cyberattacks." Reference: Google Cloud blog — Targeted campaign against US law firms.

MIT's "GenAI Divide" — 95% of enterprise AI pilots are failing

MIT's Project NANDA published "The GenAI Divide: State of AI in Business 2025" in August 2025, and the follow-up reporting through early 2026 confirms the headline number has not improved. According to the report, 95% of enterprise GenAI pilots fail to deliver tangible business value, with the "GenAI Divide" being the discontinuity between adoption activity and business transformation. Organizations stuck on the wrong side of the divide keep buying tools and rolling them out without redesigning the underlying workflow. The most cited causes: lack of workflow integration, weak change management, procurement-led rather than operations-led adoption, and the failure to map "shadow AI" usage inside the organization. Sources: MLQ.ai — The GenAI Divide: State of AI in Business 2025 (PDF), DemandLab — 5 Takeaways from MIT's 2025 Report, Innovative Human Capital — Why 95% of Enterprise AI Investments Fail.

The deployment pattern that doesn't work

The MIT report is unambiguous about what fails. Pilots led by procurement, run by central IT, and rolled out top-down with a "tool-first, workflow-second" approach almost never reach the 5% that succeed. What works, per the report and the follow-on analysis: deployments that start with a specific workflow and a specific operator, that integrate the AI into the actual job-to-be-done rather than into a Slack bot nobody uses, and that let the workflow owner drive the change. The corollary is that "AI strategy" decks are a leading indicator of failure, not success. Reference: MLQ.ai MIT NANDA report.

The Take

Two stories, one rule. The Silent Ransom Group is succeeding because they understand the human trust boundary better than most enterprise security teams do — and the helpdesk-to-USB-drop chain is the social-engineering equivalent of a default-allow firewall. Meanwhile, the 95% failure rate is holding because enterprise AI deployments still treat "the model" as the bottleneck when the actual bottleneck is "the workflow." The MIT report's most under-cited finding is that the 5% that succeed are led by operators, not by procurement. The Silent Ransom report's most under-cited finding is that the in-person escalation only works because the helpdesk accepted a phone call first. In both cases, the failure is at the verification step. CISOs: a vendor showing up in person is now a red flag. CIOs: a vendor selling you an "AI transformation" deck is now the same kind of red flag.

Quick Summary

The FBI and Google confirmed Silent Ransom Group is sending fake IT workers in person to law firms, with USB-based exfiltration. MIT's latest data shows 95% of enterprise GenAI pilots still fail, with the failure pattern concentrated in procurement-led rollouts.

Sources:

Source: TLDR | mr.technology — The Master Skill Index