Silent Ransom Group Uses DNS Fast Flux in Attacks
The Silent Ransom Group (SRG), a ransomware gang primarily targeting US law firms, employs DNS fast flux techniques to conceal its command and control (C&C) infrastructure. SRG uses social engineering, including voice phishing and in-person tactics, to gain remote access and exfiltrate data without deploying file-encrypting malware. The group then extorts victims by threatening to publish stolen data. Their fast flux network leverages a large number of compromised IoT and customer premises devices across 18 countries to rapidly rotate DNS records, complicating detection and takedown efforts. This technique supports their extortion campaigns and has contributed to increased ransomware incidents in the legal sector. No direct patch or fix applies as this is a threat actor behavior rather than a software vulnerability.
AI Analysis
Technical Summary
The Silent Ransom Group (SRG), also known as Chatty Spider, Luna Moth, and UNC3753, targets law firms and other sensitive sectors in the US using social engineering and physical access methods to gain network entry. Instead of deploying ransomware encryption, SRG focuses on data exfiltration followed by extortion via data leak threats. To protect their infrastructure, SRG uses DNS fast flux, a technique that rapidly changes DNS records across a botnet of infected routers, modems, and IoT devices distributed globally. This fast flux network obscures the location of their C&C servers by rotating IP addresses and DNS name servers, complicating defensive actions. The group’s domains involved in fast flux include ep6pheij[.]com and business-data-leaks[.]com. The FBI and Resecurity have documented these tactics, highlighting SRG’s significant impact on the legal industry and other sectors handling sensitive data.
Potential Impact
SRG’s use of DNS fast flux enables persistent and resilient C&C infrastructure, making it harder for defenders to block or take down their servers. Their attacks result in data theft and extortion, causing reputational damage, financial loss, and operational disruption to targeted organizations, especially law firms in the US. The group’s tactics have contributed to a rise in ransomware-related incidents in the legal sector, which accounted for nearly a quarter of such incidents in early 2026. The fast flux technique itself does not exploit a software vulnerability but supports the threat actor’s ability to evade detection and maintain control over compromised environments.
Mitigation Recommendations
There is no patch or direct fix for the DNS fast flux technique as it is a threat actor operational method rather than a software vulnerability. Organizations should focus on detecting and blocking fast flux domains and IP addresses through threat intelligence feeds and DNS monitoring. Enhancing user awareness to resist social engineering and vishing attacks is critical, as SRG relies heavily on these methods for initial access. Network defenders should monitor for unusual DNS activity and implement controls to limit unauthorized remote access and physical device insertion. Collaboration with law enforcement and threat intelligence providers is recommended to track and respond to SRG activities.
Silent Ransom Group Uses DNS Fast Flux in Attacks
Description
The Silent Ransom Group (SRG), a ransomware gang primarily targeting US law firms, employs DNS fast flux techniques to conceal its command and control (C&C) infrastructure. SRG uses social engineering, including voice phishing and in-person tactics, to gain remote access and exfiltrate data without deploying file-encrypting malware. The group then extorts victims by threatening to publish stolen data. Their fast flux network leverages a large number of compromised IoT and customer premises devices across 18 countries to rapidly rotate DNS records, complicating detection and takedown efforts. This technique supports their extortion campaigns and has contributed to increased ransomware incidents in the legal sector. No direct patch or fix applies as this is a threat actor behavior rather than a software vulnerability.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Silent Ransom Group (SRG), also known as Chatty Spider, Luna Moth, and UNC3753, targets law firms and other sensitive sectors in the US using social engineering and physical access methods to gain network entry. Instead of deploying ransomware encryption, SRG focuses on data exfiltration followed by extortion via data leak threats. To protect their infrastructure, SRG uses DNS fast flux, a technique that rapidly changes DNS records across a botnet of infected routers, modems, and IoT devices distributed globally. This fast flux network obscures the location of their C&C servers by rotating IP addresses and DNS name servers, complicating defensive actions. The group’s domains involved in fast flux include ep6pheij[.]com and business-data-leaks[.]com. The FBI and Resecurity have documented these tactics, highlighting SRG’s significant impact on the legal industry and other sectors handling sensitive data.
Potential Impact
SRG’s use of DNS fast flux enables persistent and resilient C&C infrastructure, making it harder for defenders to block or take down their servers. Their attacks result in data theft and extortion, causing reputational damage, financial loss, and operational disruption to targeted organizations, especially law firms in the US. The group’s tactics have contributed to a rise in ransomware-related incidents in the legal sector, which accounted for nearly a quarter of such incidents in early 2026. The fast flux technique itself does not exploit a software vulnerability but supports the threat actor’s ability to evade detection and maintain control over compromised environments.
Mitigation Recommendations
There is no patch or direct fix for the DNS fast flux technique as it is a threat actor operational method rather than a software vulnerability. Organizations should focus on detecting and blocking fast flux domains and IP addresses through threat intelligence feeds and DNS monitoring. Enhancing user awareness to resist social engineering and vishing attacks is critical, as SRG relies heavily on these methods for initial access. Network defenders should monitor for unusual DNS activity and implement controls to limit unauthorized remote access and physical device insertion. Collaboration with law enforcement and threat intelligence providers is recommended to track and respond to SRG activities.
Technical Details
- Article Source
- {"url":"https://www.securityweek.com/silent-ransom-group-uses-dns-fast-flux-in-attacks/","fetched":true,"fetchedAt":"2026-06-08T10:33:34.929Z","wordCount":1177}
Threat ID: 6a269a7ee29bf47b50d6cd4d
Added to database: 6/8/2026, 10:33:34 AM
Last enriched: 6/8/2026, 10:33:45 AM
Last updated: 6/8/2026, 11:36:43 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.