In remote campaigns, the groups start out by contacting employees with emails about data migration or invoices and then use those communications as a pretext to initiate phone conversations while posing as IT support. In these calls, they convince targets to host screen-sharing sessions and download remote management and monitoring utilities. In physical campaigns, the groups send individuals who pose as IT technicians, enter corporate offices and try to steal data by using USB storage media. Once they gain access by either of these methods, the groups steal proprietary legal agreements, personally identifiable information, financial records and other highly sensitive data. They then initiate ransom negotiations while threatening to release the stolen data publicly.