FBI Warns of Silent Ransom Group Targeting Law Firms with Vishing Attacks
The FBI has issued a warning about the Silent Ransom Group (SRG), a cybercrime group using IT-themed social engineering and callback phishing emails to gain remote access to systems and steal sensitive data. SRG, also known as Luna Moth, Chatty Spider, and UNC3753, is using the stolen information to extort law firms and similar organizations.
While SRG has previously targeted sectors like healthcare and insurance, the group has recently focused on U.S.-based law firms, likely due to the sensitive nature of legal data. The group's tactics include sending fake subscription charge emails that prompt victims to call a number. Once on the call, the attackers guide victims to install remote access software under the pretense of canceling the subscription. Once access is gained, they exfiltrate data and demand ransom to prevent its release.
Since March 2025, SRG has expanded its tactics to include direct calls, posing as members of the victim’s IT department. Victims are persuaded to join a remote session, and once access is granted, attackers claim they need to perform overnight maintenance. During this time, they use tools like WinSCP or disguised versions of Rclone to steal data. The FBI noted this newer voice phishing method has already led to several successful compromises.
SRG also contacts organizations post-attack to pressure them into paying the ransom. While they operate a public leak site, the group has been inconsistent about posting victim data.
Because SRG uses legitimate software such as Zoho Assist, AnyDesk, and Splashtop, traditional antivirus tools may not detect the activity. Organizations are encouraged to watch for:
- Unauthorized downloads of remote access tools
- Outbound connections made using WinSCP or Rclone
- Subscription-related emails asking recipients to call a phone number
- Voicemails or emails claiming data was stolen
- Unsolicited IT support calls
Recommended actions include phishing awareness training, clear policies for IT authentication, and company-wide two-factor authentication.
The FBI urges any affected organizations to share legally permissible information such as ransom notes, suspicious phone numbers, voicemails, or cryptocurrency wallet addresses to aid their investigation.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
