Silent Ransom Group targeting law firms, the FBI warns
FBI warns Silent Ransom Group has targeted U.S. law firms for 2 years using callback phishing and social engineering extortion tactics. The FBI warns that the Silent Ransom Group, active since 2022 and also known as Luna Moth, has targeted U.S. law firms using phishing and social engineering. Linked to BazarCall campaigns, the group previously […]
FBI warns Silent Ransom Group has targeted U.S. law firms for 2 years using callback phishing and social engineering extortion tactics.
The FBI warns that the Silent Ransom Group, active since 2022 and also known as Luna Moth, has targeted U.S. law firms using phishing and social engineering. Linked to BazarCall campaigns, the group previously enabled Ryuk and Conti ransomware attacks.
“The cyber threat actor Silent Ransom Group (SRG), also known as Luna Moth, Chatty Spider, and UNC3753, is targeting law firms using information technology (IT) themed social engineering calls, and callback phishing emails, to gain remote access to systems or devices and steal sensitive data to extort the victims.” reads the alert issued by the FBI. “While SRG has historically victimized companies in many sectors, starting Spring 2023, the group has consistently targeted US-based law firms, likely due to the highly sensitive nature of legal industry data.”
As of March 2025, SRG began posing as IT staff in phone calls, tricking employees into granting remote access. They then exfiltrate data using tools like WinSCP or Rclone, often without needing admin privileges. This new tactic is recent but highly effective, leading to multiple successful breaches.
After stealing data, the Silent Ransom Group group extorts victims with ransom emails threatening to sell or publish the data. They also call employees to pressure them into negotiations.
SRG operates a data leak site, but the FBI noticed that they use it inconsistently and don’t always follow through on their threats to post the data.
The group campaigns leave minimal traces and often evade antivirus detection by using legitimate remote access tools. Indicators of SRG activity include unauthorized downloads of tools like Zoho Assist or AnyDesk, external WinSCP/Rclone connections, ransom emails or calls from unnamed groups, and phishing emails about subscriptions urging recipients to call a number to cancel charges.
“Implement basic cyber hygiene to include being suspicious, robust passwords, multifactor authentication, and installation of antivirus tools.” concludes the report. “For SRG threat actors:
- Conduct staff training on resisting phishing attempts
- Develop and communicate policies surrounding when and how company’s IT will authenticate themselves with employees
- Maintain regular backups of company data
- Implement two-factor authentication for all employees”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, FBI)
