Silent
Silent is a data extortion and ransomware threat actor also referred to in the provided content as Silent Ransom Group, Luna Moth, Chatty Spider, and UNC3753. The content states the group has been active since at least 2022, was initially linked by researchers to BazarCall-style operations associated with Conti and Ryuk, and appears to have shifted after Conti’s collapse toward standalone data theft and extortion. The group is described as usually not deploying file-encrypting ransomware in these incidents, instead stealing data and extorting victims by threatening to publish or sell it. The provided reporting says Silent targeted U.S. legal firms, including American law firms, and that the FBI warned of a new tactic used since spring 2026 against that sector. According to the content, attacks begin with phishing emails or phone calls impersonating IT staff and attempting to persuade victims to grant access through RDP or other remote administration tools. If remote access fails, the group may send a person to the victim office posing as an IT specialist, who connects a USB flash drive or external disk to a workstation, gains access, escalates privileges, and exfiltrates data. The content says the group uses legitimate tools such as WinSCP and Rclone, cloud services including Google Drive and Microsoft OneDrive, and in some cases copies stolen data directly to external media brought on site. The FBI reporting in the content notes that the group leaves few traces and mainly relies on built-in remote access and administration tools. The content also states that Silent pressures victims after theft with ransom demands and by contacting employees or even clients. A reported example is Jones Day, where Silent was said to have demanded $13 million following a March 2026 breach. Additional victim claims mentioned in the content include ESP Associates, Fleet Canada Inc, Advanced Simulation Technology, Versa Networks, Cocoon, and Judicare Legal Aid. Separate reporting in the content says Silent newly entered AhnLab’s May 2026 ransomware rankings in second place with 99 incidents, and another source lists Silent as a new ransomware variant appearing in April 2024.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
1 distinct technique observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Rapidly emerging ransomware group that newly entered the top rankings by incident volume.
Data-theft and extortion operations targeting U.S. legal firms, using callback phishing, phone-based social engineering, remote access attempts, and in-person impersonation of IT staff to gain physical access and steal data without deploying ransomware encryption.
Named as the ransomware group that demanded $13 million in connection with a March 2026 data breach affecting Jones Day.
Ransomware group noted for a large ransom demand against a business-sector legal firm.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.