FBI Warns of Silent Ransom Group Using Phishing and Vishing to Target U.S. Law Firms

 

The FBI has issued a warning about a sophisticated cybercriminal group known as the Silent Ransom Group (SRG), also referred to by aliases like Luna Moth, Chatty Spider, and UNC3753. This group has been actively targeting U.S.-based law firms and related organizations through advanced phishing techniques and social engineering scams. The group, which has been operational since 2022, is known for using deceptive communication methods to gain unauthorized access to corporate systems and extract sensitive legal data for ransom demands. In the past, SRG’s activities spanned across industries such as healthcare and insurance. 

However, since the spring of 2023, its focus has shifted to legal entities, likely because of the highly confidential nature of the data managed by law firms. The group commonly uses a method called callback phishing, also known as reverse vishing. In this approach, victims receive emails that appear to originate from reputable companies and warn them of small charges for fake subscriptions. The emails prompt users to call a phone number to cancel the subscription. During these calls, victims are instructed to download remote access software under the guise of resolving the issue. Once the software is installed, SRG gains control of the victim’s device, searches for valuable data, and uses it to demand ransom.  

In March 2025, SRG has adapted their strategy to include voice phishing or vishing. In this new approach, the attackers call employees directly, posing as internal IT staff. These fraudulent callers attempt to convince their targets to join remote access sessions, often under the pretext of performing necessary overnight maintenance. Once inside the system, the attackers move swiftly to locate and exfiltrate data using tools like WinSCP or a disguised version of Rclone. Notably, SRG does not prioritize escalating privileges, instead focusing on immediate data theft. The FBI noted that these voice phishing methods have already resulted in multiple successful breaches. 

SRG reportedly continues to apply pressure during ransom negotiations by making follow-up calls to victim organizations. While the group does maintain a public site for releasing stolen data, its use of this platform is inconsistent, and it does not always follow through on threats to leak information. A significant concern surrounding these attacks is the difficulty in detection. SRG uses legitimate system management and remote access tools, which are often overlooked by traditional antivirus software. The FBI advises organizations to remain vigilant, particularly if there are unexplained downloads of programs such as AnyDesk, Zoho Assist, or Splashtop, or if staff receive unexpected calls from alleged IT personnel. 

In response, the FBI urges companies to bolster cybersecurity training, establish clear protocols for authenticating internal IT requests, and enforce two-factor authentication across all employee accounts. Victims of SRG attacks are encouraged to share any information that might assist in ongoing investigations, including ransom communications, caller details, and cryptocurrency wallet data.