Silent Ransom Group Targets Law Firms With IT Impersonation Attacks  | eSecurity Planet
Threats
SHARE
Facebook X Pinterest WhatsApp

Silent Ransom Group Targets Law Firms With IT Impersonation Attacks 

Silent Ransom Group is using IT impersonation and trusted tools to target law firms in evolving social engineering attacks.

Written By
Ken Underhill
Ken Underhill
May 28, 2026
4 minute read
eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Silent Ransom Group is escalating attacks on U.S. law firms by posing as IT staff through phishing emails, phone calls, and in-person visits. 

The group, also tracked as Luna Moth, Chatty Spider, and UNC3753, is focusing on data theft and extortion rather than traditional ransomware encryption, making its activity more difficult for organizations to detect early.

“This is a pretty natural evolution of extortion operations,” said Gabrielle Hempel, Security Operations Strategist at Exabeam, in an email to eSecurityPlanet.

She explained, “We spent years building detections around malware and exploits, and now attackers are shifting toward social engineering, trusted tooling, and physical access.”

Gabrielle added, “Physical security fell by the wayside when organizations began to move their data to the cloud, but if your security model assumes that the threat actor is always on the other side of the internet, you have a problem.” 

Key Takeaways of the Silent Ransom Group

  • Silent Ransom Group is targeting law firms through IT impersonation, phishing, and social engineering tactics.
  • The group focuses on data theft and extortion rather than traditional ransomware encryption.
  • Attackers are abusing legitimate remote administration tools to blend malicious activity with normal operations.
  • SRG campaigns have evolved from callback phishing scams to sophisticated fake IT support operations, including reported onsite impersonation attempts.

Inside the Silent Ransom Group’s Tactics 

The campaign highlights the growing effectiveness of social engineering-driven intrusions that rely on manipulating employees rather than just deploying traditional malware. 

According to the FBI, the Silent Ransom Group (SRG) has consistently targeted the U.S.-based law firms since Spring 2023, although organizations in the healthcare, insurance, and financial sectors have also been affected. 

The activity reflects a broader shift in the cybercriminal landscape, where attackers favor stealthy data theft and extortion over disruptive ransomware encryption attacks.

Unlike traditional ransomware groups, SRG focuses on stealing sensitive data and threatening to leak or sell it publicly. 

Advertisement

How SRG’s Social Engineering Attacks Work 

Historically, SRG campaigns relied on callback phishing schemes involving fake invoices, billing notices, or subscription charges. 

Victims were instructed to call a phone number to dispute the charge, after which attackers guided them into installing remote access software under the guise of resolving the issue.

Recent campaigns have evolved into more sophisticated impersonation operations. 

Attackers now pose as internal IT personnel and contact employees through phishing emails or phone calls designed to create urgency around technical problems or security incidents. 

During these interactions, victims are pressured into granting remote desktop access so the supposed IT representative can troubleshoot or remediate the issue. 

In some cases, if remote access attempts fail, SRG actors have reportedly escalated to physical intrusion attempts by sending individuals onsite while impersonating authorized support staff.

How Attackers Exfiltrate Data and Evade Detection 

Once access is established, attackers rapidly move to exfiltrate sensitive data. 

The group commonly uses legitimate remote administration and system management tools, including AnyDesk, Zoho Assist, Quick Assist, RustDesk, Splashtop, and Atera, to maintain access to victim environments. 

SRG actors also use tools such as WinSCP and renamed versions of Rclone to facilitate data transfers. 

In some cases, stolen information is uploaded to legitimate cloud storage services including Microsoft OneDrive and Google Drive to blend malicious activity with normal business operations. 

During physical intrusion scenarios, attackers may also use external hard drives or USB devices to remove data directly from company systems.

The FBI advisory maps SRG activity to several MITRE ATT&CK techniques, including phishing (T1566), voice phishing (T1598.004), abuse of remote access software (T1219), and exfiltration over web services (T1567). 

Because many of the tools and platforms involved are commonly used within enterprise environments, the activity can appear legitimate, making detection more challenging for traditional endpoint solutions.

Advertisement

Reducing Exposure to Social Engineering Attacks 

Organizations defending against social engineering-driven threats such as those used by the Silent Ransom Group should prioritize both technical and human-focused security measures. 

  • Establish strict verification procedures for IT personnel, third-party technicians, and onsite visitors before granting physical or remote access to systems.
  • Require phishing-resistant multifactor authentication (MFA) and implement privileged access management (PAM) to reduce unauthorized account access and lateral movement.
  • Monitor for unauthorized remote administration tools, suspicious outbound data transfers, unusual cloud synchronization activity, and large-scale file archiving behavior.
  • Deploy EDR/XDR, data loss prevention (DLP), and application allowlisting controls to identify and block suspicious administrative activity and data exfiltration attempts.
  • Restrict unnecessary remote access services, removable media usage, and outbound connections to unsanctioned cloud storage platforms whenever operationally feasible.
  • Conduct regular employee security awareness training focused on phishing, impersonation attempts, fake IT support requests, and social engineering tactics.
  • Test incident response plans through tabletop exercises and attack simulations involving social engineering, insider access, and data extortion scenarios.

Together, these steps help organizations build resilience against social engineering-driven intrusions while reducing exposure to data theft, unauthorized access, and extortion. 

The Shift Beyond Traditional Malware 

The Silent Ransom Group’s operations reflect a broader shift in cybercrime toward attacks that rely more on social engineering, identity impersonation, and the misuse of legitimate administrative tools instead of traditional malware. 

By abusing trusted tools and authorized user actions, attackers can blend malicious activity with normal operations, making detection more difficult and accelerating data theft and extortion efforts. 

As threat actor tactics continue to evolve, organizations are adopting zero trust tools to help strengthen identity verification and limit unauthorized access. 
Ken Underhill

Ken Underhill is an award-winning cybersecurity professional, bestselling author, and seasoned IT professional. He holds a graduate degree in cybersecurity and information assurance from Western Governors University and brings years of hands-on experience to the field.

eSecurity Planet Logo

eSecurity Planet is a leading resource for IT professionals at large enterprises who are actively researching cybersecurity vendors and latest trends. eSecurity Planet focuses on providing instruction for how to approach common security challenges, as well as informational deep-dives about advanced cybersecurity topics.

facebook
linkedin
x

Company

About us Contact us Advertise with us

Categories

Best Products Resources Networks Cloud Threats Trends Endpoint Applications Compliance

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information