FBI warns Silent Ransom Group is targeting law firms with fake IT support attacks
8 min. read 
Published on
The FBI is warning U.S. law firms about Silent Ransom Group, a data-extortion crew using phone calls, phishing emails, remote access tools, and even in-person impersonation to steal files. The warning, published in an FBI FLASH advisory, says the group poses as internal IT support to gain access to victim computers.
The campaign stands out because the attackers often skip traditional ransomware encryption. Instead of locking systems, they steal confidential data and threaten to sell or publish it unless the victim pays.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
That approach creates a serious risk for law firms. Legal files can include client communications, case strategy, intellectual property, financial records, and settlement details. Once attackers steal that data, the damage can continue even if systems stay online.
Silent Ransom Group is using trust as the attack path
Silent Ransom Group, also known as Luna Moth, Chatty Spider, and UNC3753, has been active since at least 2022. The same FBI advisory says the group has targeted several sectors, including insurance, finance, and healthcare, but has consistently focused on U.S.-based law firms since spring 2023.
The latest activity uses a simple but effective method. Attackers call employees directly or send emails that tell them to contact IT support. When the employee responds, the attacker claims to work for the firm’s technology team and asks for remote desktop access.
This type of phone-based social engineering lines up with voice phishing, a tactic in which attackers use calls to collect information or push victims into unsafe actions. In this case, the goal is not just a password. The attackers want an open session on a real employee’s computer.
How the attack works
If the remote access attempt succeeds, SRG moves quickly. The group uses legitimate tools to look like normal IT activity. That makes the attack harder to detect than malware that antivirus products can easily flag.
The FBI says SRG may use tools such as WinSCP or renamed versions of Rclone to exfiltrate files. The group has also used cloud storage services, including Microsoft OneDrive and Google Drive, as destinations for stolen data.
In some cases, SRG takes the attack offline. If the remote method fails, the group may send a person to the victim’s office. That person claims to be an IT technician and says they need to image a device or create a backup because of a phishing issue.
| Attack stage | What SRG does | Why it matters |
|---|---|---|
| Initial contact | Calls or emails employees while posing as IT support | Employees may trust the request because it appears internal |
| Remote access | Asks the employee to start a desktop support session | Legitimate software can hide malicious activity |
| Physical access | Sends a fake technician to plug in a USB drive or external drive | The attacker can copy data directly from the device |
| Data theft | Uses WinSCP, Rclone, cloud storage, or physical media | Files can leave the network before security teams notice |
| Extortion | Threatens to publish or sell stolen legal data | Client confidentiality creates pressure to pay |
Why normal ransomware defenses may miss it
Many ransomware defenses focus on file encryption, malware payloads, and suspicious executable behavior. SRG often avoids those signals. It focuses on social engineering, data theft, and pressure tactics.
The use of remote access software creates another problem for defenders. Tools such as AnyDesk, Quick Assist, Zoho Assist, RustDesk, Syncro, Splashtop, and Atera can serve legitimate business needs, so their presence alone does not prove an attack.
Security teams need context. A new support tool installed after an unsolicited phone call, a remote session started by a non-IT employee, or a large file transfer to cloud storage should trigger immediate review.
- New remote access tools on machines that do not normally use them
- Unapproved USB drives or external hard drives connected to employee devices
- WinSCP or Rclone connections to unknown external IP addresses
- Large uploads to cloud storage from legal or client-data repositories
- Employees receiving calls from people claiming to work in IT
- Clients receiving calls or emails claiming their legal data was stolen
Why law firms remain attractive targets
Law firms hold valuable information for many clients at once. A single compromise can expose documents linked to corporate deals, litigation, patents, investigations, contracts, and private communications.
Attackers also know that law firms face strict confidentiality duties. Public exposure of client files can create legal, financial, and reputational damage. That pressure gives data-extortion groups more leverage.
SRG’s playbook also targets human workflows. Busy employees may accept a caller’s explanation when it sounds like a normal help desk request. A visitor with a convincing IT story may also pass through office procedures if reception, security, and employees do not have a clear verification process.
What law firms should do now
Law firms should treat unexpected IT support requests as high-risk until verified through a trusted internal channel. Employees should never approve remote access during an unsolicited call, even if the caller knows internal names, vendors, or ticket details.
Firms should also define how IT staff authenticate themselves. This policy should cover phone calls, email requests, remote sessions, office visits, and emergency support situations. Everyone should know what real IT support will and will not ask them to do.
Response planning also matters. CISA ransomware response guidance urges organizations to act quickly when they suspect data theft or ransomware activity. For SRG-style attacks, that means preserving evidence while stopping further access.
| Control | Recommended action |
|---|---|
| IT verification | Create a known callback number and require employees to verify all unexpected support requests |
| Visitor checks | Require ID checks, visitor logs, escorts, and written approval before anyone touches a device |
| Remote tools | Block unapproved remote support software and monitor new installations |
| External drives | Disable USB storage where possible on systems that handle sensitive client files |
| Cloud storage | Watch for unusual uploads to OneDrive, Google Drive, and external file-sharing services |
| Authentication | Use phishing-resistant multi-factor authentication for email, cloud, and remote access services |
Security teams should map the attack to known behaviors
SRG’s activity fits several known attack behaviors. Its calls and callback lures align with voice phishing. Its use of legitimate support programs aligns with remote access software abuse.
That mapping helps defenders write better alerts. Instead of looking only for known malware, teams can watch for unusual combinations, such as a help desk-themed email followed by a phone call, a remote access install, and a file transfer to cloud storage.
Firms should also test incident response for a data-only extortion case. A locked desktop may never appear. The first sign may be a ransom email, a client complaint, or a suspicious cloud transfer alert.
When to report suspicious activity
Organizations that identify suspicious activity should contact their local FBI Cyber Squad and report incidents through the Internet Crime Complaint Center. Useful evidence can include ransom notes, phone numbers, email addresses, voicemail transcripts, callback messages, cryptocurrency wallets, and details about anyone posing as IT support.
The FBI also asks victims to preserve information that can legally be shared. That can include surveillance footage, photos, device logs, remote access session details, and the time and location of any physical visit.
Law firms should not wait for encryption to begin before acting. If an employee allowed unknown remote access, connected an unexpected external drive, or received a suspicious IT support call, the firm should investigate immediately and consider a report to IC3.
Bottom line
Silent Ransom Group is not relying on loud, system-locking ransomware. It is exploiting trust, help desk routines, and weak verification procedures to steal legal data.
The most important defense is operational discipline. Law firms need clear IT authentication rules, strict visitor checks, strong controls on remote access tools, and fast reporting when something feels wrong.
The guidance also reflects a broader data-extortion problem. CISA guidance warns that some attackers may steal data and threaten release without using file encryption at all. SRG’s latest campaign shows why law firms need to prepare for that exact scenario.
FAQ
Silent Ransom Group is a data-extortion threat group also tracked as Luna Moth, Chatty Spider, and UNC3753. The FBI says it has targeted U.S.-based law firms since spring 2023.
The group uses phone calls, phishing emails, remote access tools, and sometimes in-person impersonation. Attackers pose as IT support, gain access to devices, steal data, and then use that data for extortion.
The FBI says SRG usually does not rely on traditional ransomware encryption. The group typically steals data and threatens to sell or publish it unless the victim pays.
Possible signs include unexpected IT support calls, new remote access tools, unauthorized USB drives, WinSCP or Rclone activity to external destinations, unusual cloud uploads, and ransom messages claiming data was stolen.
Law firms should verify all IT support requests, restrict unapproved remote access tools, block external storage on sensitive systems where possible, train staff on social engineering, use phishing-resistant MFA, monitor cloud uploads, and report suspicious activity quickly.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages