Google and the FBI have issued a joint warning about a sophisticated ransomware operation that combines digital threats with physical infiltration tactics. The group, known as UNC4996 by researchers, has developed a method where attackers pose as legitimate information technology support personnel to gain direct access to corporate offices and networks. This hybrid approach marks a significant escalation in how ransomware groups conduct their campaigns, blending social engineering with on-site presence to bypass traditional cybersecurity defenses.
According to a detailed advisory published by Google’s Threat Analysis Group and shared through TechCrunch, the operation typically begins with initial access brokers who compromise employee credentials through phishing or other remote methods. Once inside a target organization’s systems, the attackers gather intelligence about the company’s internal IT support structure, including names, departments, and common procedures for handling technical issues. They then use this information to create convincing personas for in-person visits.
The fake IT workers arrive at company facilities dressed in appropriate business attire, often carrying falsified identification badges that mimic those used by legitimate vendors or contractors. They claim to be responding to a reported technical problem, such as network slowdowns, software glitches, or hardware failures that the attackers themselves may have introduced during the initial breach. This pretext allows them to request physical access to servers, workstations, or network infrastructure under the guise of performing routine maintenance or troubleshooting.
Once granted entry, these imposters can deploy ransomware directly onto critical systems, install persistent backdoors, or exfiltrate sensitive data without triggering many of the automated alerts that monitor remote access attempts. The physical presence also enables them to connect malicious devices to internal networks, bypassing firewalls and other perimeter security measures that organizations typically rely upon. In several documented cases, the attackers remained on site for hours, engaging with real employees to maintain their cover while quietly compromising additional systems.
Security researchers have observed this tactic across multiple industries, with particular focus on manufacturing, healthcare, and financial services sectors. Organizations in these fields often maintain large physical footprints and employ numerous contractors, making it easier for outsiders to blend in without raising immediate suspicion. The group has successfully targeted mid-sized companies that possess valuable intellectual property or sensitive customer data but may lack the resources for comprehensive physical security protocols.
The advisory from Google and the FBI highlights several red flags that organizations should watch for when dealing with unexpected IT support visits. These include visitors who cannot provide specific ticket numbers matching internal records, those who seem unfamiliar with the company’s specific software environment, or individuals who arrive without prior coordination through official channels. The warning also emphasizes the need for strict verification procedures, including contacting known internal IT staff to confirm the legitimacy of any external support personnel.
This new attack vector exposes limitations in conventional cybersecurity strategies that focus primarily on digital perimeters. Many companies invest heavily in firewalls, endpoint detection, and cloud security solutions while paying less attention to how physical access translates into digital compromise. The ransomware operators have recognized this gap and structured their operations to exploit it systematically. By combining remote initial access with on-site execution, they reduce their digital footprint during the most critical phases of the attack.
Law enforcement agencies report that the group behind these operations maintains a professional structure with clearly defined roles. Some members specialize in reconnaissance and credential theft, while others handle the creation of fake identities and documentation. A separate team manages the actual on-site operations, often recruiting individuals who have legitimate backgrounds in technical support to make their personas more convincing. This division of labor allows the organization to scale its activities across different geographic regions while maintaining operational security.
Victims of these attacks face multiple layers of damage. Beyond the immediate encryption of files and demands for ransom, companies must deal with the breach of physical security protocols and potential regulatory consequences. Healthcare organizations, for example, may face additional scrutiny under privacy regulations if patient data is accessed during these intrusions. Manufacturing firms risk losing proprietary designs or production methods that could benefit competitors.
The financial impact extends beyond ransom payments. Organizations typically incur significant costs for forensic investigations, system restoration, employee training, and enhanced security measures following such incidents. Insurance providers have begun adjusting their policies to account for these hybrid threats, sometimes requiring proof of physical security protocols before offering coverage against ransomware claims.
Google’s researchers first identified patterns associated with this group in late 2025 after observing multiple incidents where ransomware deployment coincided with visitor logs showing unfamiliar IT support personnel. Further investigation revealed coordinated campaigns targeting organizations in North America and Europe. The FBI has since corroborated these findings through its own casework and international partnerships with law enforcement agencies in affected countries.
The advisory recommends several practical steps for organizations to protect themselves. These include implementing visitor management systems that require advance registration and photo identification, training reception staff to verify IT support requests through multiple channels, and establishing clear protocols for escorting external personnel within facilities. Companies are also advised to segment their networks so that physical access to one area does not automatically grant broad system privileges.
Some security experts suggest adopting zero-trust principles that extend beyond digital identities to include physical verification. This might involve requiring biometric authentication for access to server rooms or implementing surveillance systems that monitor activity around critical infrastructure. Regular security awareness training should include scenarios involving physical social engineering attempts, not just traditional phishing emails.
The emergence of this tactic reflects broader trends in cybercrime where attackers adapt to improved digital defenses by finding weaknesses in human and physical processes. As organizations have strengthened their remote access controls and endpoint protections, criminals have shifted toward methods that exploit trust and personal interaction. This evolution requires a corresponding adjustment in how companies approach their overall security posture.
Industry analysts predict that other ransomware groups will likely adopt similar techniques as they observe the success of UNC4996. The relatively low technical barrier for executing these physical intrusions, combined with their high success rate, makes them attractive to a wide range of threat actors. Smaller criminal organizations that lack advanced malware development capabilities may find particular value in this approach since it allows them to achieve significant impact with limited technical resources.
Organizations operating in multiple locations face additional challenges in maintaining consistent security standards across different facilities. A manufacturing plant in one state might have different visitor policies than a corporate headquarters in another city, creating inconsistencies that attackers can exploit. Developing enterprise-wide standards for physical security verification has become an urgent priority for many chief information security officers.
The joint Google and FBI warning serves as both an alert and a call to action for businesses of all sizes. While large enterprises may already employ sophisticated access control systems, smaller companies often rely on informal procedures that prove inadequate against determined adversaries. The advisory includes specific recommendations tailored to organizations with limited security resources, emphasizing simple but effective practices like mandatory escort policies and verification checklists.
As these hybrid attacks continue to surface, the cybersecurity community has begun developing new tools and frameworks specifically designed to address physical-digital convergence threats. Some vendors now offer integrated platforms that combine visitor management with network access controls, automatically restricting system privileges for unverified personnel. Others are exploring artificial intelligence applications that can analyze patterns in visitor behavior to identify potential imposters.
The incidents documented in the advisory demonstrate that even companies with mature cybersecurity programs can fall victim when physical security receives insufficient attention. In one notable case, an attacker posing as an IT contractor spent nearly four hours on site, during which time he deployed ransomware across multiple servers while simultaneously engaging in casual conversation with employees about sports and weather. The human element remains a critical vulnerability that technology alone cannot fully address.
Security professionals recommend conducting regular audits of physical access procedures and testing them through simulated attacks. Red team exercises that include social engineering components have proven effective at identifying gaps in current protocols. These exercises should involve realistic scenarios that mirror the tactics used by groups like UNC4996, including the use of forged credentials and technical pretexts.
The collaboration between Google’s Threat Analysis Group and the FBI represents an increasingly common model for addressing sophisticated cyber threats. By combining the extensive telemetry available to technology companies with the investigative capabilities of law enforcement, these partnerships can provide more comprehensive insights than either entity could achieve independently. The resulting advisories offer actionable intelligence that helps organizations stay ahead of emerging tactics.
Companies that have already experienced these types of attacks report that the psychological impact on employees can be significant. Staff members often feel violated when they realize they interacted with criminals who used that interaction to harm the organization. Addressing this emotional dimension through transparent communication and support becomes an important part of the recovery process.
Looking ahead, experts anticipate that ransomware groups will continue refining their physical infiltration methods. Future variations might include the use of deepfake technology for video verification calls or the deployment of teams that include both technical and non-technical members to create more convincing scenarios. Some groups may also explore partnerships with organized crime elements that specialize in physical operations, further blurring the lines between cyber and traditional criminal activities.
The advisory stresses that no single security measure can completely eliminate these risks. Instead, organizations must implement layered defenses that address multiple aspects of the attack chain. This includes strengthening initial access prevention, improving detection capabilities for anomalous behavior, developing robust response procedures for suspected physical intrusions, and maintaining effective backup and recovery systems that can operate even when primary networks are compromised.
By taking these threats seriously and implementing appropriate safeguards, companies can reduce their vulnerability to this new breed of ransomware attack. The joint warning from Google and the FBI provides a foundation for understanding the tactics involved and developing practical strategies to counter them. As attackers continue to innovate, security teams must maintain vigilance across both digital and physical domains to protect their organizations’ critical assets and operations.
WebProNews is an iEntry Publication