Silent Ransom Group targets law firms via fake IT support calls

A newly released report from cybersecurity firm Mandiant warns that the Silent Ransom Group is aggressively targeting U.S. law firms and professional services organizations through sophisticated social engineering attacks. These intrusions can escalate to data theft within just hours of the initial contact, highlighting a severe and growing threat to the legal sector.

This analysis follows a recent FBI FLASH advisory that first alerted the public to the group’s tactics, which now include both remote and in-person data theft. Mandiant’s report provides deeper technical insight into how these breaches unfold. The threat actor, tracked under the monikers UNC3753, Luna Moth, and Chatty Spider, is said to have struck dozens of organizations in the legal, financial, and professional services fields between January and May 2026.

Mandiant emphasizes that law firms are prime targets due to their vast collections of highly confidential client data. The pressure to avoid reputational harm and regulatory penalties makes these entities more likely to quietly resolve extortion demands. “Legal services firms represent high-value targets for extortion actors,” the report states. “They maintain concentrated repositories of extremely sensitive client transaction files, merger and acquisition plans, client trade secrets, and corporate regulatory reports.” The firm adds that threat groups understand these entities face heavy reputational and regulatory exposure, motivating them to settle incidents discreetly.

The attack chain begins with invoice-themed phishing emails sent from consumer email accounts. These messages contain no malicious links or attachments; they are simply a setup for a follow-up phone call. Attackers, impersonating corporate IT staff, then contact the target. This callback phishing tactic is not new. The same group previously used it in BazarCall campaigns linked to Ryuk and Conti ransomware attacks. In these scenarios, a benign-looking email with an alarming IT-related lure prompts the recipient to call a provided number.

In the current campaign, the Silent Ransom Group impersonates IT help desks and convinces employees to join remote support sessions via platforms like Microsoft Teams, Zoom, Quick Assist, or Microsoft Terminal Services. During these sessions, the attackers trick the target into installing remote monitoring and management tools such as AnyDesk, Zoho Assist, Bomgar, or SuperOps, granting them initial network access. Mandiant also discovered phishing domains that mimic internal IT portals, using patterns like `-itdesk[.]com` or `-helpdesk[.]com`.

To further evade detection, the threat actors use privnote[.]com, a self-destructing messaging service, to share installation links and commands during remote sessions. This tactic reduces forensic artifacts left in browser histories or corporate chat logs. Once inside, the group searches for sensitive legal and financial documents, including contracts, tax records, Social Security numbers, and merger or acquisition files. They commonly target document management platforms and cloud storage repositories, exfiltrating data with tools like WinSCP or Rclone.

The extortion operation is described as highly aggressive. Mandiant reports that ransom demands often arrive within 30 minutes of the attackers leaving the victim’s environment. “These highly aggressive extortion letters give organizations a three-day deadline to respond and initiate ransom negotiations,” the report explains. If the victim is unresponsive, the attackers threaten to call and email target employees and external clients directly to alert them of the breach. The letters explicitly emphasize that the leak will compromise client trust, invite substantial regulatory fines, and suggest that external clients sue the victim organization for data mishandling.

The report also references the FBI’s recent warning about in-person data theft attacks. According to the FBI, attackers impersonate internal IT staff, then attempt to gain remote access or physically visit offices to “image” computers while secretly stealing files. While Mandiant notes limited forensic evidence, researchers believe these in-person attacks are likely linked to UNC3753 based on similar targeting, timelines, and operational behavior.

The Silent Ransom Group has been active since at least 2022, when it was part of the Ryuk and Conti cybercrime syndicate. After the Conti syndicate shut down in 2022, the group shifted to standalone data theft and extortion operations. Researchers say the group no longer relies on traditional ransomware encryption. Instead, it focuses entirely on data-theft extortion, stealing sensitive data and pressuring victims into paying to prevent leaks.

A separate report from Resecurity this week reveals that the gang is also operating fast-flux infrastructure to hide and protect its data-leak platforms. DNS fast flux involves constantly rotating a domain’s IP addresses through a large pool of compromised devices, making takedowns or blocking far more difficult. The infrastructure uses residential IP addresses across multiple countries and ISPs. Resecurity linked the group’s “business-data-leaks[.]com” leak site to residential proxy networks spread across Latin America, Eastern Europe, Central Asia, the Middle East, and Asia, as well as to other cybercrime-related services.

To defend against these attacks, both Mandiant and the FBI recommend implementing strict verification procedures for IT support interactions, limiting remote access tools, enforcing MFA, restricting USB storage devices, and training employees to recognize voice phishing attempts. For organizations looking to strengthen their defenses, BleepingComputer is hosting a webinar with Abnormal titled “Stop chasing alerts: Automating email security with behavioral AI.” The session will explore how behavioral AI can help detect and respond to modern phishing attacks, automate investigations and remediation, and reduce the operational burden caused by alert fatigue and increasingly sophisticated social engineering campaigns.