The FBI issued a flash alert warning that Silent Ransom Group (SRG) has escalated its attack methods against U.S.-based law firms. Beyond phishing emails and fake IT support calls, SRG now sends physical threat actors directly to victim offices to steal data from company computers.

This shift marks a significant change in how cybercriminal groups operate. Most data theft campaigns rely entirely on remote access. SRG has added physical presence to its toolkit, making it one of the few extortion groups that combines digital social engineering with in-person intrusion.
What Is Silent Ransom Group?
Silent Ransom Group, also tracked as Luna Moth, Chatty Spider, and UNC3753, has been active since at least 2022. The group focuses on data theft and extortion rather than traditional ransomware encryption.
SRG separated from the Conti ransomware syndicate in March 2022 following Conti’s shutdown. The FBI has linked the same actors to BazarCall campaigns that provided initial network access for both Conti and Ryuk ransomware operations. Since early 2023, the group has consistently targeted U.S.-based law firms and financial organizations.
Unlike ransomware groups that encrypt files and demand payment for decryption keys, SRG steals data and threatens to sell or publicly release it unless the victim pays a ransom.
How the Silent Ransom Group Attack Chain Works
SRG updated its playbook as of Spring 2026. The attack follows a multi-stage social engineering sequence that escalates from a phone call all the way to a physical office visit.
Stage 1: Initial Contact
SRG actors call employees directly or send phishing emails. The messages use IT helpdesk, billing, subscription, or invoice-themed lures to create urgency. The goal is to get the target employee on a phone call with someone posing as internal IT support.
Researchers at EclecticIQ noted in a May 2025 report that SRG registers typosquatted domains that impersonate IT helpdesk portals for major U.S. law firms and financial services companies. These domains add visual credibility to the phishing emails.
Stage 2: Remote Access Attempt
Once on the call, the fake IT support representative directs the employee to grant remote desktop access. SRG actors use legitimate remote access tools including Zoho Assist, Quick Assist, AnyDesk, RustDesk, Syncro, Splashtop, and Atera to establish the session.
Because these tools are legitimate software used by real IT departments, traditional antivirus products rarely flag the intrusion. The FBI warns that detecting these tools alone should not be treated as confirmation of an SRG attack without additional analytical evidence.
Stage 3: In-Person Escalation
If the remote access attempt fails, SRG sends a threat actor physically to the victim’s office. The attacker presents themselves as an IT support technician and claims to need access to the device to image it or create a backup file to address a phishing-related issue.
Once inside, the attacker inserts a USB drive or external hard drive directly into the victim’s computer and copies data to the device. The FBI flash alert (PDF) classifies this technique as MITRE ATT&CK T1052.001: Exfiltration over USB, which covers adversaries who exfiltrate data over a USB-connected physical device, including in scenarios involving air-gapped networks.
Stage 4: Data Exfiltration
Whether through remote access or physical presence, SRG exfiltrates data using:
- WinSCP (Windows Secure Copy)
- Rclone, sometimes hidden or renamed to avoid detection
- Microsoft OneDrive or Google Drive for cloud-based staging
SRG actors minimize privilege escalation and move quickly to exfiltration without any encryption step, which means traditional ransomware detection rules will not fire.
Stage 5: Extortion
After exfiltrating data, SRG sends a ransom email threatening to post or sell the stolen files. The group also calls employees and clients of the victim company directly to pressure the organization into beginning ransom negotiations. SRG maintains a public leak site at business-data-leaks[.]com where it publishes victim data to demonstrate that its threats are credible.
MITRE ATT&CK Mapping for SRG
The table below summarizes the key MITRE ATT&CK techniques the FBI attributes to SRG activity:
| Tactic | Technique | SRG Activity |
|---|---|---|
| Initial Access | T1566: Phishing | Callback phishing with invoice, billing, or IT-themed lures |
| Social Engineering | T1598.004: Voice Phishing | Actors impersonate internal IT support by phone |
| Execution | T1219: Remote Access Software | Legitimate tools establish interactive access |
| Credential Access | T1078: Valid Accounts | Actors may use victim credentials to access email or cloud services |
| Collection | T1560: Archive Collected Data | Data staged or compressed before exfiltration |
| Collection | T1530: Data from Cloud Storage | Theft from Microsoft 365, OneDrive, and Google Drive |
| Exfiltration | T1567: Exfiltration Over Web Service | Stolen data uploaded to cloud platforms |
| Exfiltration | T1052.001: Exfiltration to Removable Media | USB or external hard drive insertion during in-person visits |
| Impact | T1657: Financial Theft / Extortion | Threats to publish or sell stolen data |
Indicators of Compromise
SRG attacks leave few artifacts on compromised machines. Watch for the following warning signs in your environment:
- Unauthorized downloads of remote access tools including Zoho Assist, Quick Assist, AnyDesk, RustDesk, Syncro, Splashtop, or Atera
- Unauthorized installation of external hard drives or USB drives on company computers
- WinSCP or Rclone connections to external IP addresses
- Data exfiltration alerts involving Microsoft OneDrive, Google Drive, or unknown external servers
- Unidentified individuals claiming to be IT support and attempting to access computers in person
- Ransom emails, phone calls, or voicemails from an unnamed group claiming to have stolen company data
- Employees receiving unsolicited calls from individuals falsely claiming to work in the company’s IT department
- Emails or calls to clients stating that their data has been stolen
How to Defend Against Silent Ransom Group
The FBI recommends the following defensive measures. Organizations should treat these as a layered set of controls rather than a single solution.
Physical security:
- Verify the credentials and ID of every individual who accesses company spaces
- Treat any unsolicited visit from someone claiming to be IT support as suspicious until verified through an independent channel
- Establish a clear process for employees to challenge and report unexpected IT visitors
Technical controls:
- Require phishing-resistant multi-factor authentication (MFA) for as many services as possible
- Disable remote access and external drive installation permissions on computers that handle sensitive or confidential data
- Block access to port 22 where possible to limit encrypted remote access and file transfer channels
- Deploy data loss prevention tools to detect and block sensitive data transfers to USB devices or cloud storage
Policy and training:
- Develop clear written policies on how IT support communicates and authenticates with employees
- Train staff to identify, resist, and report phishing attempts and suspicious phone calls
- Require employees to verify IT support identity through a second channel before granting any remote access
- Maintain regular backups of company data stored in an isolated environment
Because SRG attacks rely almost entirely on social engineering and impersonation, employee awareness is one of the strongest defenses available. Tactics like these overlap significantly with AI security scams that use voice and text impersonation to bypass technical defenses entirely.
What to Report to the FBI
If your organization has received contact from SRG or suspects an active intrusion, the FBI requests the following information where legally permissible:
- A copy of any ransom note received
- Phone numbers or email accounts used by the threat actor
- Transcripts or voicemails from communications with the threat actor
- The original callback message or phishing email
- Cryptocurrency wallet information if a payment demand was issued
- Any surveillance video or photos of individuals who posed as IT support
Submit reports through the Internet Crime Complaint Center at IC3.gov.
FAQs
What is Silent Ransom Group?
Silent Ransom Group (SRG), also known as Luna Moth, Chatty Spider, and UNC3753, is a cybercrime gang active since at least 2022. The group targets U.S. law firms and financial organizations through social engineering, data theft, and extortion. SRG does not encrypt files. It steals data and threatens public release or sale unless the victim pays a ransom.
How does Silent Ransom Group gain access to victim networks?
SRG uses callback phishing emails and direct phone calls to impersonate IT support staff. Attackers convince employees to grant remote desktop access using legitimate tools like AnyDesk or Quick Assist. If the remote attempt fails, SRG sends a physical agent to the target’s office to insert a USB drive or external hard drive directly into a company computer.
Why does SRG target law firms specifically?
Law firms hold sensitive client data including legal strategy documents, financial records, and confidential communications. This data carries high extortion value because victims face serious reputational and legal exposure if the information goes public. The FBI notes that SRG has consistently targeted U.S.-based law firms since Spring 2023.
What remote access tools does Silent Ransom Group use?
SRG uses legitimate tools including Zoho Assist, Quick Assist, AnyDesk, RustDesk, Syncro, Splashtop, and Atera. These tools do not trigger antivirus alerts because they are widely used for legitimate IT support. The FBI cautions against attributing their presence as malicious without supporting analytical evidence.
How do I report a Silent Ransom Group attack?
Report the incident to the FBI through IC3.gov. Preserve ransom notes, phishing emails, phone call transcripts, and any surveillance footage of individuals who claimed to be IT support during the intrusion.
