The FBI is warning that a threat group is using IT-themed social engineering calls and callback phishing emails to gain remote access to systems and steal sensitive data.
The Silent Ransom Group (SRG), also known as Luna Moth, Chatty Spider, and UNC3753, will then use the stolen data to extort the law firms, the advisory from the FBI’s Cyber Division said.
Silent Ransom Group Finds a Niche Targeting Law Firms
While SRG has historically targeted other sectors such as medical and insurance organizations, beginning in Spring 2023, the group has consistently targeted U.S.-based law firms and organizations with “similar naming conventions,” the FBI said, “likely due to the highly sensitive nature of legal industry data.”
The group has been operating since 2022 and is primarily known for callback phishing emails, aka reverse vishing, where the group pretends to be well-known companies purporting to charge small subscription fees. If the victim wishes to cancel the fake subscription, they must call the threat actor, who emails the victim a link to download remote access software to gain access to their device or system. Once they’ve established access, the threat group will search for sensitive data to exfiltrate and then send a ransom notice to the victim threatening to release the data if the ransom is not paid.
Beginning in March 2025, the group changed tactics by calling individuals and claiming to be an employee from their organization’s IT department, known as social engineering calls or vishing, short for “voice phishing.” The threat actor then tries to get the employee to join a remote access session. If the employee grants access to their device, “they are told that work needs to be done overnight,” the FBI said.
“Once in the victim’s device, a typical SRG attack involves minimal privilege escalation and quickly pivots to data exfiltration conducted through ‘WinSCP’ (Windows Secure Copy) or a hidden or renamed version of ‘Rclone,’” the FBI advisory said.
In the short amount of time SRG has been pursuing the vishing tactic, “it has been highly effective and resulted in multiple compromises,” the FBI said.
The group will also call victim organizations to pressure them into ransom negotiations. While SRG has a publicly available site to post victim data, “they are inconsistent in their use of the site, and do not always follow through on posting victim data,” the FBI said.
SRG Vishing Attacks Difficult to Detect
Because SRG uses legitimate management and remote access tools, attacks are unlikely to be detected by traditional antivirus tools.
Organizations are advised to monitor for the following potential signs of compromise:
- New unauthorized downloads of system management or remote access tools such as Zoho Assist, Syncro, AnyDesk, Splashtop, or Atera
- WinSCP or Rclone connections made to an external IP address
- Emails from an unnamed group claiming data was stolen
- Voicemails or phone calls from an unnamed group claiming data was stolen
- Emails about subscription services that provide a phone number and require a call to remove pending charges
- Employees receiving unsolicited phone calls from individuals claiming to work in their IT department.
Recommendations include:
- Conducting staff training on phishing
- Developing and communicating policies for authenticating IT staff with employees
- Implementing two-factor authentication for all employees.
The FBI is seeking any information from SRG victims that can be legally shared, such as ransom notes, phone numbers used by the threat actor, communications such as voicemails, cryptocurrency wallet information, and more.
