Silent Ransom Group targets law firms with fake IT support calls
The Silent Ransom Group is an extortion gang targeting U. S. law firms and professional services organizations through social engineering attacks involving fake IT support calls. The attacks start with benign phishing emails prompting callback phone calls, followed by remote support sessions where attackers trick victims into installing remote access tools. This grants attackers access to corporate networks, allowing them to steal sensitive legal and financial data. The group then issues aggressive ransom demands within hours, threatening to leak stolen data if unpaid. The FBI has also warned of in-person data theft linked to this group. The group no longer uses ransomware encryption but focuses on data theft and extortion. Defensive recommendations include strict verification of IT support interactions, limiting remote access tools, enforcing MFA, and employee training on voice phishing.
AI Analysis
Technical Summary
The Silent Ransom Group (tracked as UNC3753, Luna Moth, Chatty Spider) targets U.S. law firms and professional services via social engineering campaigns that begin with invoice-themed phishing emails lacking malicious payloads. These emails prompt victims to call back attackers impersonating IT staff, who then conduct remote support sessions using platforms like Microsoft Teams or Zoom. During these sessions, attackers convince victims to install remote monitoring and management tools (e.g., AnyDesk, Zoho Assist), gaining initial network access. The group searches for sensitive documents on document management and cloud storage platforms, exfiltrating data using tools such as WinSCP or Rclone. Extortion demands follow rapidly, with a three-day deadline and threats to notify clients and regulators. The group also uses fast-flux DNS infrastructure to protect its leak sites. The FBI has reported related in-person data theft attempts. The group evolved from Ryuk and Conti ransomware affiliates and now focuses solely on data theft extortion.
Potential Impact
The threat actor gains unauthorized remote access to corporate networks of law firms and professional services organizations, leading to theft of highly sensitive client and corporate data including contracts, tax records, Social Security numbers, and merger/acquisition files. The rapid extortion demands and threats to expose stolen data pose significant reputational and regulatory risks to victims. The attacks can result in data breaches with potential legal and financial consequences. The use of fast-flux infrastructure complicates takedown efforts of the group's leak sites. The FBI's report of in-person data theft attempts further increases the risk of physical compromise of sensitive data.
Mitigation Recommendations
No official patch applies as this is a social engineering and operational threat rather than a software vulnerability. The FBI and Mandiant recommend implementing strict verification procedures for all IT support interactions to confirm legitimacy before granting access. Organizations should limit the use of remote access tools and enforce multi-factor authentication (MFA) to reduce unauthorized access risk. Employee training to recognize voice phishing and callback phishing tactics is critical. Restricting USB storage device usage can help mitigate in-person data theft risks. These mitigations address the specific tactics used by the Silent Ransom Group as described in the vendor advisory.
Silent Ransom Group targets law firms with fake IT support calls
Description
The Silent Ransom Group is an extortion gang targeting U. S. law firms and professional services organizations through social engineering attacks involving fake IT support calls. The attacks start with benign phishing emails prompting callback phone calls, followed by remote support sessions where attackers trick victims into installing remote access tools. This grants attackers access to corporate networks, allowing them to steal sensitive legal and financial data. The group then issues aggressive ransom demands within hours, threatening to leak stolen data if unpaid. The FBI has also warned of in-person data theft linked to this group. The group no longer uses ransomware encryption but focuses on data theft and extortion. Defensive recommendations include strict verification of IT support interactions, limiting remote access tools, enforcing MFA, and employee training on voice phishing.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Silent Ransom Group (tracked as UNC3753, Luna Moth, Chatty Spider) targets U.S. law firms and professional services via social engineering campaigns that begin with invoice-themed phishing emails lacking malicious payloads. These emails prompt victims to call back attackers impersonating IT staff, who then conduct remote support sessions using platforms like Microsoft Teams or Zoom. During these sessions, attackers convince victims to install remote monitoring and management tools (e.g., AnyDesk, Zoho Assist), gaining initial network access. The group searches for sensitive documents on document management and cloud storage platforms, exfiltrating data using tools such as WinSCP or Rclone. Extortion demands follow rapidly, with a three-day deadline and threats to notify clients and regulators. The group also uses fast-flux DNS infrastructure to protect its leak sites. The FBI has reported related in-person data theft attempts. The group evolved from Ryuk and Conti ransomware affiliates and now focuses solely on data theft extortion.
Potential Impact
The threat actor gains unauthorized remote access to corporate networks of law firms and professional services organizations, leading to theft of highly sensitive client and corporate data including contracts, tax records, Social Security numbers, and merger/acquisition files. The rapid extortion demands and threats to expose stolen data pose significant reputational and regulatory risks to victims. The attacks can result in data breaches with potential legal and financial consequences. The use of fast-flux infrastructure complicates takedown efforts of the group's leak sites. The FBI's report of in-person data theft attempts further increases the risk of physical compromise of sensitive data.
Mitigation Recommendations
No official patch applies as this is a social engineering and operational threat rather than a software vulnerability. The FBI and Mandiant recommend implementing strict verification procedures for all IT support interactions to confirm legitimacy before granting access. Organizations should limit the use of remote access tools and enforce multi-factor authentication (MFA) to reduce unauthorized access risk. Employee training to recognize voice phishing and callback phishing tactics is critical. Restricting USB storage device usage can help mitigate in-person data theft risks. These mitigations address the specific tactics used by the Silent Ransom Group as described in the vendor advisory.
Technical Details
- Article Source
- {"url":"https://www.bleepingcomputer.com/news/security/silent-ransom-group-targets-law-firms-with-fake-it-support-calls/","fetched":true,"fetchedAt":"2026-06-07T21:47:53.404Z","wordCount":1330}
Threat ID: 6a25e712e29bf47b5042bf35
Added to database: 6/7/2026, 9:48:02 PM
Last enriched: 6/7/2026, 9:48:17 PM
Last updated: 6/7/2026, 10:58:43 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.