FBI Seeks Information on the Silent Ransom Group Stealing Data from Legal Professionals in Social Engineering Campaign

• The Silent Ransom Group has been targeting U.S. legal professionals via social engineering emails
• They ask for remote access permission or sell subscription plans in the name of well-known companies
• Emails also claim to be from the target’s company, posing as an IT professional, wanting to fix system issues overnight

The FBI cyber division shared threat intelligence about the Silent Ransom Group (SRG) targeting law firms through phishing and social engineering scams. The SRG has been directing its recent IT-themed social engineering calls to gain unauthorized access to legal professionals.

The Silent Ransom Group, also known as Luna Moth, Chatty Spider, and UNC3753, has been using phishing emails to access systems and steal sensitive information to extort the victims. 

Their primary targets are U.S.-based law firms. The targeting of law firms is presumably due to sensitive data that they hold, against which a large sum could be extorted. SRG pressures the professionals to pay for client and legal proceedings information to avoid losing the case or credibility. 

Using this tactic since at least 2022, the attack involves sending phishing callback emails to professionals. The attacker writes as if from a well-known business company offering subscription plans. 

The email mentions a small amount as the subscription fee if they want to cancel the subscription to sound legitimate, according to an Internet Crime Complaint Center (IC3) report. However, neither the subscription plan nor the amount related to the plan or the business is legitimate.

The intent is to gain trust and persuade the target to call them back on the provided number. A malicious link is also sent in the email, which helps download remote access software, allowing threat actors to exploit the device remotely.

Once in, threat actors look for confidential information to be used for online extortion of unsuspecting legal professionals.

After data exfiltration, they send a ransom note demanding a larger sum of money to not release it on the dark web. 

Another tactic in this social engineering campaign includes sending malicious links in emails purportedly from the target’s IT department, directing them to allow a remote session through the link. The threat actor asks for device access permission for work to be completed overnight. 

The attacker looks for administrative privileges after being allowed to access the system. Regardless of the availability of escalated privileges, they send the stolen data through Windows Secure Copy (WinSCP) or a hidden, renamed version of Eclone.

They call the victim for a ransom payment and threaten that they will release the files on their data leak site. The FBI report clarified that phishing emails can get flagged by antivirus software based on SRG’s tools and tactics used. 

The FBI urged victims to send all information from SRG to help dismantle their infrastructure. The IC3 report, in collaboration with the FBI, disclosed that this campaign has led to multiple device compromises despite this tactic being used as recently as March 2025.

Indicators of compromise include sudden and unauthorized download of remote access tools like AnyDesk, Zoho Assist, Syncro, Atera, or Splashtop. If users find WinSCP or Eclone connecting with an unknown IP address or receive emails or calls asking about subscription plans of IT support, it could be an indicator of cyber threats.

It is important to maintain a backup of company data to prevent loss from ransomware attacks and to implement two-factor authentication to restrict account access.

While reporting, the FBI or the local law enforcement would seek the ransom note copy, contact numbers of the threat actors, exchanged messages with the SRG, details about the shared pitch, and the currency wallet information mentioned for the ransom payment.