Silent Ransom Group Escalates Attacks on U.S. Law Firms with IT Impersonation Scheme
A sophisticated cyber extortion syndicate known as the Silent Ransom Group (SRG) also tracked as Luna Moth, Chatty Spider, and UNC3753 has intensified its campaign against U.S. law firms since early 2023, employing aggressive social engineering tactics to bypass traditional cybersecurity defenses.
Unlike conventional ransomware operators, SRG avoids file-locking malware, instead focusing on rapid data exfiltration and high-pressure extortion. The group steals sensitive information, threatens to publish it on its leak site (business-data-leaks.com), and even contacts victims’ clients to coerce ransom payments.
As of Spring 2026, SRG has adopted a localized IT support impersonation scheme, initiating contact via phishing emails or direct calls to employees. Attackers pose as internal IT staff, convincing victims to install legitimate remote administration tools (e.g., AnyDesk, TeamViewer) to gain access. If digital methods fail, SRG escalates to physical intrusion, dispatching operatives to offices under the guise of IT personnel. These attackers claim to resolve security alerts by inserting USB drives or external hard drives into target systems to manually extract data.
Once inside, SRG minimizes privilege escalation, swiftly exfiltrating stolen files to cloud platforms (Google Drive, Microsoft OneDrive) or external servers using tools like WinSCP and disguised Rclone. Because the group leverages valid software and cloud environments, traditional antivirus solutions often fail to detect intrusions.
The FBI’s May 2026 FLASH report highlights SRG’s reliance on callback phishing (T1566), voice phishing (T1598.004), and abuse of remote access tools (T1219). Organizations are advised to report incidents to the FBI, preserving ransom notes, phishing emails, and surveillance footage to aid investigations. Behavioral monitoring, strict access controls, and physical security measures are critical to mitigating this threat.
Source: https://cyberpress.org/silent-ransom-targets-firms/
Silent Ransom Group TPRM report: https://www.rankiteo.com/company/silent-breach
"id": "sil1779956796",
"linkid": "silent-breach",
"type": "Ransomware",
"date": "5/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Legal',
'location': 'United States',
'type': 'Law Firms'}],
'attack_vector': ['Phishing Emails',
'Direct Calls (Voice Phishing)',
'Physical Intrusion',
'Remote Administration Tools'],
'data_breach': {'data_exfiltration': 'Yes (to cloud platforms or external '
'servers)',
'personally_identifiable_information': 'Likely',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Sensitive information'},
'date_publicly_disclosed': '2026-05',
'description': 'A sophisticated cyber extortion syndicate known as the Silent '
'Ransom Group (SRG) has intensified its campaign against U.S. '
'law firms since early 2023, employing aggressive social '
'engineering tactics to bypass traditional cybersecurity '
'defenses. SRG avoids file-locking malware, focusing on rapid '
'data exfiltration and high-pressure extortion by stealing '
'sensitive information, threatening to publish it on its leak '
'site, and contacting victims’ clients to coerce ransom '
'payments. As of Spring 2026, SRG has adopted a localized IT '
'support impersonation scheme, initiating contact via phishing '
'emails or direct calls to employees, posing as internal IT '
'staff to install legitimate remote administration tools. If '
'digital methods fail, SRG escalates to physical intrusion, '
'dispatching operatives to offices under the guise of IT '
'personnel to manually extract data using USB drives or '
'external hard drives. Once inside, SRG minimizes privilege '
'escalation, swiftly exfiltrating stolen files to cloud '
'platforms or external servers using tools like WinSCP and '
'disguised Rclone.',
'impact': {'brand_reputation_impact': 'High (threat of data leaks and client '
'contact)',
'data_compromised': 'Sensitive information',
'identity_theft_risk': 'High (sensitive data exfiltration)'},
'initial_access_broker': {'entry_point': ['Phishing Emails',
'Direct Calls',
'Physical Intrusion']},
'motivation': 'Financial Gain (Extortion)',
'ransomware': {'data_encryption': 'No (avoids file-locking malware)',
'data_exfiltration': 'Yes'},
'recommendations': ['Report incidents to the FBI',
'Preserve ransom notes, phishing emails, and surveillance '
'footage',
'Implement behavioral monitoring',
'Enforce strict access controls',
'Enhance physical security measures'],
'references': [{'date_accessed': '2026-05', 'source': 'FBI FLASH Report'}],
'response': {'enhanced_monitoring': 'Behavioral monitoring, strict access '
'controls',
'law_enforcement_notified': 'FBI'},
'threat_actor': 'Silent Ransom Group (SRG) / Luna Moth / Chatty Spider / '
'UNC3753',
'title': 'Silent Ransom Group Escalates Attacks on U.S. Law Firms with IT '
'Impersonation Scheme',
'type': 'Cyber Extortion, Data Theft'}