Full Report
The Silent Ransom Group extortion gang is actively targeting U.S. law firms and professional services organizations in social engineering attacks that often lead to data theft within hours of initial contact, according to a new report by cybersecurity firm Mandiant. [...]
Analysis Summary
# Threat Actor: Silent Ransom Group (SRG)
## Attribution & Identity
* **Name/Alias:** Silent Ransom Group (SRG)
* **Mandiant Tracking:** UNC3753
* **Other Aliases:** Luna Moth, Chatty Spider
* **Known Associations:** Formerly part of the **Ryuk** and **Conti** cybercrime syndicates (specifically linked to the BazarCall initial access operations).
## Activity Summary
The group is currently engaged in a high-velocity extortion campaign (active June 2026) targeting U.S. law firms and professional services. Between January and May 2026, the group targeted dozens of organizations. Their operations have evolved from traditional ransomware to "pure" extortion, where data is stolen and held for ransom without the use of file-encrypting malware. Recent activities include both remote social engineering and reported attempts at in-person data theft.
## Tactics, Techniques & Procedures
* **Callback Phishing (BazarCall):** Initial contact via benign-looking invoice-themed emails from consumer accounts (e.g., Gmail) containing a phone number for "support."
* **Voice Social Engineering (Vishing):** Impersonating corporate IT help desk staff to talk victims into granting access.
* **Remote Support Exploitation:** Coercing targets to join sessions via Microsoft Teams, Zoom, Quick Assist, or Microsoft Terminal Services.
* **Living off the Land (LotL):** Utilizing legitimate tools to minimize footprint.
* **Data Exfiltration:** Aggressive searching for sensitive documents (M&A plans, tax records, SSNs) and exfiltrating via specialized tools.
* **Anti-Forensics:** Use of `privnote[.]com` (self-destructing messages) to share links/commands during sessions to avoid leaving logs in browser or chat histories.
* **Infrastructure Obfuscation:** Employment of **DNS Fast Flux** to rotate IP addresses across residential proxy networks to evade takedowns.
* **MITRE ATT&CK IDs (Inferred):**
* T1566.004 (Phishing: Voice)
* T1219 (Remote Access Software)
* T1567.002 (Exfiltration to Cloud Storage)
* T1071.004 (Application Layer Protocol: DNS - for Fast Flux)
## Targeting
* **Sectors:** Legal services, Financial, and Professional Services.
* **Geography:** Primarily United States.
* **Victims:** Specifically targeting law firms due to high-value client repositories (M&A plans, trade secrets, regulatory reports) and high susceptibility to reputational damage.
## Tools & Infrastructure
* **Remote Admin Tools (RATs):** AnyDesk, Zoho Assist, Bomgar, SuperOps.
* **Exfiltration Tools:** WinSCP, Rclone.
* **Phishing Domains:** Naming patterns including `[company]-itdesk[.]com`, `[company]-it[.]com`, and `[company]-helpdesk[.]com`.
* **Infrastructure:**
* `privnote[.]com` (Messaging)
* `business-data-leaks[.]com` (Leak site)
* **Fast-Flux Networks:** Utilizing residential IP addresses across Latin America, Eastern Europe, Central Asia, and the Middle East.
## Implications
SRG represents a sophisticated evolution in cybercrime, moving away from the "noise" of encryption to focus on high-pressure data extortion. Their speed is a primary threat; data theft can occur within hours of contact, and ransom demands frequently arrive within 30 minutes of exfiltration. Their focus on the legal sector leverages regulatory (GDPR/CCPA) and reputational risks to force quick payments.
## Mitigations
* **Verification:** Implement strict "call-back" or out-of-band verification procedures for any IT support interaction initiated by a third party.
* **Software Restrictions:** Implement "Allow Lists" for remote monitoring and management (RMM) tools; block unauthorized tools like AnyDesk or Zoho Assist at the network level.
* **MFA:** Enforce multi-factor authentication across all external-facing services.
* **Device Control:** Restrict the use of USB storage devices to prevent in-person data "imaging" as warned by the FBI.
* **Training:** Security awareness training specifically focused on callback phishing and vishing lures.