A threat group known as the Silent Ransom Group is actively targeting US-based law firms using a bold and deceptive social engineering playbook.
Rather than deploying ransomware in the traditional sense, this group goes straight for the data and then turns it into a weapon against the very organizations it stole from.
The Silent Ransom Group (SRG), also tracked under the aliases Luna Moth, Chatty Spider, and UNC3753, has been active since at least 2022.
The group operates across several industries, including insurance, finance, and healthcare, but law firms have been a consistent and primary focus since Spring 2023.
Their method is straightforward but highly effective: trick employees into trusting them, gain inside access, steal the data, and demand payment before it goes public.
The FBI said in a report shared with Cyber Security News (CSN) that SRG actors have recently escalated their tactics in a way that makes detection far more difficult.
Instead of relying on malicious software that antivirus tools might catch and flag, they use legitimate remote access tools to blend in with normal IT activity. That deliberate shift has made their campaigns significantly harder to spot and far harder to stop.
What sets SRG apart from most ransomware groups is that they skip encryption entirely. There is no locked system, no ransom note on the desktop, no sudden system shutdown.
Instead, the attackers quietly steal sensitive files and then threaten to sell or publish that data publicly unless the victim pays up. For law firms holding highly confidential client records, that threat alone is often enough to force compliance.
The extortion does not stop with a single ransom email. SRG actors also call employees and clients of victimized organizations directly, applying heavy additional pressure to push victims toward paying.
Any stolen data that goes unpaid ends up posted to the group’s public-facing leak site, business-data-leaks[.]com, for anyone online to find and access.
Silent Ransom Group Targets Law Firms
As of Spring 2026, SRG actors have shifted to impersonating IT department staff to gain a foothold inside target organizations.
They either call employees directly or send phishing emails urging them to reach out to what appears to be their own internal IT support team. Once the target is on the phone, the attacker tries to convince them to allow remote desktop access right away.
If the remote approach fails, SRG takes things a dramatic step further. The group has been known to physically send a person to the victim’s location, where the individual pretends to be a legitimate IT technician.
The fake technician claims they need to image the device or create a backup file due to a recent phishing threat, giving them reason to plug a USB or external hard drive directly into the victim’s computer.
Once access is obtained, attackers move quickly. They use tools like WinSCP or a hidden version of Rclone to pull data off the network and push it to cloud storage or carry it out on a physical drive. The entire operation is carefully designed to stay under the radar while extracting as much valuable data as possible.
Defending Against SRG Attacks
The FBI has outlined several steps organizations can take to reduce their exposure to this type of threat. Verifying the identity of anyone who shows up claiming to be IT support is a critical first step, and that includes checking their ID before allowing access to any system.
Organizations should also build clear internal policies around how real IT staff communicate with employees, so workers can recognize when something feels off.
On the technical side, blocking port 22 where possible and disabling remote access permissions on machines that handle sensitive data can limit the pathways attackers use.
Requiring phishing-resistant multi-factor authentication across services adds another layer of defense. Regular staff training on recognizing social engineering attempts, combined with routine data backups, rounds out a solid and practical defense posture.
Indicators of Compromise (IoCs):-
TypeIndicatorDescriptionDomainbusiness-data-leaks[.]comSRG public-facing leak site used to post stolen victim data ToolWinSCP (Windows Secure Copy)Used by SRG actors to exfiltrate data to external IP addresses ToolRclone (hidden or renamed version)Used by SRG for covert data exfiltration to cloud or remote servers Remote Access ToolZoho AssistUnauthorized download may indicate SRG presence on a host Remote Access ToolQuick AssistUnauthorized download may indicate SRG presence on a host Remote Access ToolAnyDeskUnauthorized download may indicate SRG presence on a host Remote Access ToolRustDeskUnauthorized download may indicate SRG presence on a host Remote Access ToolSyncroUnauthorized download may indicate SRG presence on a host Remote Access ToolSplashtopUnauthorized download may indicate SRG presence on a host Remote Access ToolAteraUnauthorized download may indicate SRG presence on a host Cloud PlatformMicrosoft OneDriveUsed as an exfiltration destination for stolen victim data Cloud PlatformGoogle DriveUsed as an exfiltration destination for stolen victim data Network PortPort 22Exploited to enable encrypted remote access and file transfers Physical MediaUSB drive / External hard driveInserted in-person by SRG actor for physical data exfiltration
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Silent Ransom Group Targets Law Firms With IT Support Impersonation Attacks appeared first on Cyber Security News.
