Silent Ransom Group Attacks Law Firms via IT Support Imp

The Silent Ransom Group, a persistent threat actor, is actively targeting U.S. law firms through a sophisticated social engineering playbook. This group employs deceptive IT support impersonation tactics to breach networks and deploy ransomware, as detailed in <a href="https://ppl-ai-file-upload.s3.amazonaws.com/web/direct-files/attachments/1

Rather than deploying ransomware in the traditional sense, this group goes straight for the data and then turns it into a weapon against the very organizations it stole from.

The Silent Ransom Group (SRG), also tracked under the aliases Luna Moth, Chatty Spider, and UNC3753, has been active since at least 2022.

The group operates across several industries, including insurance, finance, and healthcare, but law firms have been a consistent and primary focus since Spring 2023.

Their method is straightforward but highly effective: trick employees into trusting them, gain inside access, steal the data, and demand payment before it goes public.

The FBI said in a report shared with Cyber Security News (CSN) that SRG actors have recently escalated their tactics in a way that makes detection far more difficult.

Instead of relying on malicious software that antivirus tools might catch and flag, they use legitimate remote access tools to blend in with normal IT activity. That deliberate shift has made their campaigns significantly harder to spot and far harder to stop.

What sets SRG apart from most ransomware groups is that they skip encryption entirely. There is no locked system, no ransom note on the desktop, no sudden system shutdown.

Instead, the attackers quietly steal sensitive files and then threaten to sell or publish that data publicly unless the victim pays up. For law firms holding highly confidential client records, that threat alone is often enough to force compliance.

The extortion does not stop with a single ransom email. SRG actors also call employees and clients of victimized organizations directly, applying heavy additional pressure to push victims toward paying.

Any stolen data that goes unpaid ends up posted to the group’s public-facing leak site, business-data-leaks[.]com, for anyone online to find and access.

Silent Ransom Group Targets Law Firms

As of Spring 2026, SRG actors have shifted to impersonating IT department staff to gain a foothold inside target organizations.

They either call employees directly or send phishing emails urging them to reach out to what appears to be their own internal IT support team. Once the target is on the phone, the attacker tries to convince them to allow remote desktop access right away.

If the remote approach fails, SRG takes things a dramatic step further. The group has been known to physically send a person to the victim’s location, where the individual pretends to be a legitimate IT technician.

The fake technician claims they need to image the device or create a backup file due to a recent phishing threat, giving them reason to plug a USB or external hard drive directly into the victim’s computer.

Once access is obtained, attackers move quickly. They use tools like WinSCP or a hidden version of Rclone to pull data off the network and push it to cloud storage or carry it out on a physical drive. The entire operation is carefully designed to stay under the radar while extracting as much valuable data as possible.

Defending Against SRG Attacks

The FBI has outlined several steps organizations can take to reduce their exposure to this type of threat. Verifying the identity of anyone who shows up claiming to be IT support is a critical first step, and that includes checking their ID before allowing access to any system.

Organizations should also build clear internal policies around how real IT staff communicate with employees, so workers can recognize when something feels off.

On the technical side, blocking port 22 where possible and disabling remote access permissions on machines that handle sensitive data can limit the pathways attackers use.

Requiring phishing-resistant multi-factor authentication across services adds another layer of defense. Regular staff training on recognizing social engineering attempts, combined with routine data backups, rounds out a solid and practical defense posture.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.