Full Report
Silent Ransom Group isn’t prolific, but it's demonstrated a knack for attacking the legal services sector with an extraordinary dual use of social engineering and in-person visits to victims’ workstations. The post FBI warns US-based law firms to be on the lookout for cybercrime group that steals data in person appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Silent Ransom Group
## Attribution & Identity
* **Actor Name:** Silent Ransom Group
* **Known Aliases:** Chatty Spider, UNC3753, Storm-0252
* **Associated Groups:** Likely emerged after the **Conti** ransomware group disbanded in 2022.
* **Origin:** Highly likely to operate from **Russia**.
## Activity Summary
* **Timeline:** Emerged in 2022; consistently active from mid-2023 through May 2026.
* **Campaigns:** The actor has claimed responsibility for over 100 attacks, with a significant surge in activity during early 2026.
* **Recent Trends:** The group is increasingly focusing on high-value data extortion without the use of file encryption (ransomware).
## Tactics, Techniques & Procedures
* **Social Engineering:** Uses "callback" phishing where employees receive phone calls or emails urging them to contact a fraudulent "IT Support" number.
* **Remote Access:** Use of legitimate remote access tools to gain entry to victim workstations.
* **Physical Infiltration:** In a rare and high-risk tactic, the group sends associates to a victim's physical office location to gain direct access to workstations if remote attempts fail.
* **Data Exfiltration:** Physical attachment of storage devices (USB/External drives) to workstations for in-person data theft.
* **Extortion:** Solely focused on data theft and reputational/privilege pressure rather than deploying file-encrypting malware.
## Targeting
* **Sectors:** Legal Services / Law Firms (primary focus).
* **Geography:** Primarily United States (US-based firms).
* **Victims:** Major law firms (unspecified by name) holding sensitive client data and privileged information.
## Tools & Infrastructure
* **Malware:** No specific malware families mentioned; focus is on legitimate remote access and physical storage devices.
* **Remote Access Tools:** Various (unnamed) commercial or open-source remote management software.
* **Infrastructure:** Phone numbers for social engineering/fraudulent IT help desks.
## Implications
Silent Ransom Group represents a shift in risk assessment for the legal sector. By bypasssing traditional digital perimeters via physical presence, they render standard network-focused defenses insufficient. Their understanding of the legal sector—specifically that data theft alone is enough to trigger high-value extortion payments due to attorney-client privilege—makes them a highly specialized and dangerous persistent threat.
## Mitigations
* **Physical Security:** Implement strict visitor management protocols and "clean desk" policies to prevent unauthorized access to workstations.
* **Hardware Control:** Use Endpoint Detection and Response (EDR) or BIOS/UEFI settings to disable or alert on the insertion of unauthorized USB/removable storage devices.
* **Verification Protocols:** Establish a strictly internal, "out-of-band" method for employees to verify the identity of IT support personnel.
* **Employee Awareness:** Specialized training for office staff and receptionists regarding "in-person" social engineering and fraudulent on-site "technicians."
* **Remote Access Restrictions:** Implement "Allow Lists" for authorized remote access tools and block all unauthorized remote control binaries at the gateway and endpoint level.