The US Federal Bureau of Investigation (FBI) Cyber Division recently issued a detailed warning to US law firms about highly successful targeted social engineering attacks by the Silent Ransom Group. Since 2023, this group has increasingly focused on exfiltrating sensitive data from major US law firms and leveraging it to extort a ransom.
Unlike traditional ransomware attacks that often rely on broad-scale phishing campaigns to download malware, Silent Ransom Group strikes victims with sophisticated highly specific social engineering ploys.
Key takeaways
- The FBI warns that the Silent Ransom Group is now targeting US law firms with a highly successful vishing attack strategy.
- Unlike many extortion-oriented gangs, the Silent Ransom Group doesn’t rely on ransomware or other malware. Instead, it uses a scam scenario to socially engineer the theft of sensitive data and then threatens to expose it online.
- The current attack begins with a vishing call to an identified employee, where the hacker poses as someone from the company’s internal IT department. Their goal is to convince the employee to establish a remote access session to fix a bogus IT issue. Once they establish access, the hackers quietly exfiltrate data while evading detection.
- Once they have what they came for, the threat actors threaten to expose damaging secrets on their dark web leak site unless the victim pays a ransom.
- There are concrete steps that law firms can take now to significantly reduce their risk from this type of attack.
Who is the Silent Ransom Group?
The Silent Ransom Group, also called Luna Moth, Chatty Spider, UNC3753, or LeakedData, has been operating since 2022. They specialize in data exfiltration and extortion—breaching company networks, stealing sensitive data, and holding it for ransom under threat of leaking it on their dark web site. While their base of operations is presumed to be connected to Russia, but remains unknown; they mainly attack US-based businesses.
US law firms have recently been a preferred target, but Silent Ransom Group has attacked many organizations in other verticals and geographies, including financial services and healthcare entities. Their tactics include contacting individuals within victim companies to coerce them into ransom negotiations.
The group’s carefully planned assaults make it clear that Silent Ransom Group are skilled, effective adversaries capable of successful strikes on law firms and other rich targets. They invest significant effort into scouting, profiling, and gathering data on companies they intend to attack. Unlike opportunistic ransomware attacks that start with generic phishing emails, Silent Ransom Group’s attacks are very much dialed in prior to first contact.
What do SRG phishing attacks look like?
Silent Ransom Group’s current campaign on law firms is a recent departure from their initial approach. Instead of sending callback phishing emails, they are now identifying and vishing staff directly, claiming to work for the victim company’s internal IT.
Using either email or a webpage link, the attacker directs the employee to join a malicious remote access session using a popular service like AnyDesk, Splashtop, Atera, Syncro, or Zoho Assist. To create a sense of urgency and buy themselves more time to dig in, the attacker tells the person that the remote-access work will be done overnight, so the session must remain active.
These exploits minimize the need for privilege escalation and rely on legitimate software tools rather than malware. This makes Silent Ransom Group’s activities hard to spot and keeps them under the radar of traditional cybersecurity solutions.
Once encountered, valuable data is leaked using Windows Secure Copy (WinSCP) or a renamed or hidden instance of the Rclone cloud storage management tool. Only then is a ransom demand sent to the victim, threatening to share the stolen data unless the ransom is paid.
Prior to March 2025, when they changed tactics, the kill chain for a typical Silent Ransom Group was similar but relied on phishing rather than vishing. They could start using this approach more frequently at any time:
- The attack started with a phishing email supposedly from a legitimate company (e.g., Masterclass or Duolingo) about a fake subscription charge. The recipient is told to call the included phone number to cancel the charge
- The charge is relatively small to avoid arousing suspicion. Also, these emails contain no malicious links or attachments, making them more likely to get past email security solutions.
- Upon receiving a call back from the victim, the attacker posing as customer support talks the victim into downloading commercial remote access software, such as AnyDesk or Zoho Assist.
- Once installed, the hackers have access to the linked system, often without needing admin privileges. Meanwhile, they reassure the user that the charge has been removed, and they will not be charged.
- Next, the attackers find sensitive data and exfiltrate it with WinSCP or Rclone much as they currently do.
- Now they make their ransom demands, generally via email.
- After making demands, they may follow up with targeted emails, voice messages, and/or phone calls to increase their chances of success.
Tip-offs to watch for with these attack styles include:
- Emails about subscription charges that tell you to call a toll-free phone number to cancel.
- Unexpected or unexplained downloads of cloud-based remote support software like Atera, AnyDesk, Synchro, Splashtop, or Zoho Assist.
- Unexpected or unexplained activity from WinSCP, Rclone, or similar tools.
- Employees getting suspicious calls from someone saying they work for the internal IT department.
Why does SRG target law firms?
Large US law firms make ideal targets for extortion attacks for several reasons:
- Despite their prominence, many law firms are still transitioning from paper to digital records and may be behind the curve on basic cybersecurity controls, incident response planning, and data governance. This makes them especially vulnerable to expert hackers who know how to evade detection and move laterally around the network until they hit pay dirt.
- Law firms are a “one-stop shop” for a wide array of confidential data, from client secrets to merger/acquisition plans to litigation playbooks to financial records to privileged correspondence.
- A threat to expose a legal client’s data is some of the strongest extortion leverage a hacker could hope for, as law firms will go to great lengths to avoid reputational damage.
Silent Ransom Group protection tips
While Silent Ransom Group is currently targeting mostly the legal vertical, they have victimized organizations in many other industries. These are among the first steps any business should take to reduce risk from targeted social engineering attacks:
- Train all staff who handle or administer sensitive data to be alert for the tip-off signs that an attack is in progress, including details on specific scams affecting your industry. Training is especially important with attacks like those described above because many of the telltale features that trigger security alerts may not be present.
- Make sure you have “basic cyber hygiene” covered. Besides awareness training, that includes capabilities like best-practice password management, multifactor authentication on all key systems, data encryption, a robust backup protocol, efficient patch management, least privilege access rights, and endpoint protection services.
- Create a company policy for how IT staff will contact employees, such as not initiating requests for remote access.
- Maintain and test regular offline data backups.
- Uninstall unused or unapproved remote access software so attackers cannot turn it against you.
- If possible, restrict outbound SFTP traffic via port 22 to counter data exfiltration attempts using tools like WinSCP.
How to help silence Silent Ransom Group?
The FBI is asking firms that may have been targeted by Silent Ransom Group or an affiliate to voluntarily share useful information to help protect your company and others. This includes:
- Voicemails, emails, callback messages, or other communications from the hackers
- Any callback phone number used in the attack
- A copy of the ransom demand
- Any crypto wallet addresses used in the attack
- Basic information on the data stolen, such as the data types and the number of records
For more information, including how to submit your incident data, contact your local FBI cyber squad.
Get law firm phishing defense
CBIZ Pivot Point Security provides services that help law firms and other clients efficiently achieve and maintain a provably secure and compliant cybersecurity posture. To schedule a complimentary discussion with a subject matter expert on how your business can better manage cyber risk and safeguard sensitive data even from targeted attacks, contact us today.
