FBI warns Silent Ransom Group is infiltrating US law firms through fake IT support
The FBI has warned that the Silent Ransom Group (SRG) — also tracked as Luna Moth, Chatty Spider, and UNC3753 — is actively targeting U.S. law firms with social-engineering campaigns designed to steal sensitive data for extortion. According to the bureau, the group uses callback phishing emails, fake IT support phone calls, and in some cases even in-person visits to offices while impersonating internal technology staff. Rather than encrypting systems, SRG focuses on gaining remote desktop or physical access, quickly exfiltrating files, and then threatening to publish or sell the stolen information on its leak site, including business-data-leaks[.]com.
Federal officials said the activity has consistently targeted U.S. law firms since spring 2023, while also affecting organizations in healthcare, insurance, and finance. The intrusions are difficult to detect because the attackers rely on legitimate remote administration and file-transfer tools and trusted cloud services, including WinSCP, Rclone, Google Drive, and Microsoft OneDrive, leaving few traditional malware artifacts behind. The FBI urged organizations to verify IT personnel and office visitors, harden help desk and password-reset procedures, enforce phishing-resistant MFA, restrict unauthorized remote access tools and removable media, and report related phishing emails, ransom notes, wallet details, and impersonator information to investigators.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Google reports UNC3753 targeted dozens of U.S. firms across sectors
In a report published on 2026-06-05, Google/Mandiant said UNC3753 targeted dozens of U.S. banks, law firms, and professional services firms between January and May using social engineering, data theft, and extortion. The report said the group shifted toward fake help-desk impersonation around March 2025 and published indicators of compromise and defensive recommendations.
GTIG links physical office intrusions to UNC3753
In a report published on 2026-06-05, Google Threat Intelligence Group assessed that attempted in-person data theft incidents at U.S. law firms were likely connected to UNC3753, also known as Silent Ransom Group/Luna Moth. GTIG said the assessment was based on structural, timeline, and targeting overlaps, while noting limited forensic evidence prevented formal attribution.
Silent Ransom Group begins sustained targeting of U.S. law firms
The FBI said the Silent Ransom Group, also known as Luna Moth, Chatty Spider, and UNC3753, has consistently focused on U.S. law firms since Spring 2023. The group uses social engineering to obtain remote or physical access, steal data, and extort victims without deploying file-encrypting ransomware.
FBI issues FLASH warning on SRG attacks against law firms
On 2026-05-26, the FBI issued FLASH-20260526-01 warning that Silent Ransom Group is actively targeting U.S.-based law firms through callback phishing, fake IT support interactions, and in some cases in-person visits. The advisory described the group's use of legitimate tools and cloud services for rapid data exfiltration and requested victim reporting artifacts.
Resecurity uncovers SRG fast-flux leak-site infrastructure
On 2026-02-22, Resecurity reported that it had identified Silent Ransom Group's fast-flux DNS infrastructure supporting its leak sites, including rotating residential IPs, WebNic-registered domains, and tokenized download links designed to resist takedowns and analysis. The report also linked the newer Spy Corporate project to the same infrastructure ecosystem.
FBI and CISA issue private warning on SRG targeting law firms
On 2025-05-23, the FBI, with DHS/CISA, issued a TLP:CLEAR Private Industry Notification warning that Silent Ransom Group was targeting U.S.-based law firms. The notice said the group had shifted as of April 2025 to phone-based IT impersonation and, in some cases, sending someone on-site to insert a storage device and steal data.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
20 references tracked. Mallory keeps watching after this page renders.
Silent Ransom Group (SRG): Switching To DNS Fast Flux Infrastructure - Security Affairs
securityaffairs.com
Open sourceIf you don't fall for these extortionists' calls, they'll show up with USB sticks
theregister.com
Open sourceOngoing Targeted Campaign Against US Law Firms | Google Cloud Blog
cloud.google.com
Open sourceGoogle and FBI warn of ransomware group that sends fake IT workers to hack victims in person | TechCrunch
techcrunch.com
Open sourceHawk Law Group Hit by Incransom Ransomware
brightdefense.com
Open sourceResecurity | Silent Ransom Group (SRG): Uncovering DNS Fast Flux Infrastructure
resecurity.com
Open sourceIc3 Alerts
ic3.gov
Open sourceIc3 Alerts
ic3.gov
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
BlackFile Extortion Gang Hits Retail and Hospitality With Vishing-Led Data Theft
**BlackFile**, a financially motivated extortion group likely tied to **The Com** and overlapping with activity tracked by CrowdStrike as **Cordial Spider**, has targeted retail and hospitality organizations with voice-phishing campaigns that impersonate corporate IT help desks. Researchers at Palo Alto Networks Unit 42 and RH-ISAC said the group has been active since at least February 2026, using spoofed phone numbers and fake corporate single sign-on pages to trick employees into surrendering credentials and one-time passcodes. After gaining access, the attackers register their own devices to bypass MFA, escalate privileges into administrative and executive accounts, and steal data from platforms including **Salesforce** and **SharePoint** through legitimate API and download functions. The stolen information is moved to attacker-controlled infrastructure, posted on a dark web leak site, and used to support **seven-figure ransom demands** sent from compromised employee accounts or Gmail; in some cases, the group has also used **swatting** against employees and executives to intensify pressure on victims.
Apr 28, 2026
Former Black Basta Affiliates Target Executives With Teams Phishing and Email Bombing
Suspected former **Black Basta** affiliates have launched a fast-scaling social-engineering campaign against dozens of organizations, targeting more than 100 employees to gain network access for **data theft, ransomware deployment, and extortion**. According to ReliaQuest, the operators use mass email bombing to overwhelm victims and then follow up through **Microsoft Teams** messages or phone calls while impersonating IT help desk staff. The activity has been linked to former Black Basta members or closely aligned actors because the tooling, targeting, and execution closely mirror the group’s historical playbook, even after Black Basta fragmented following the leak of its internal chats. The campaign has increasingly focused on senior leaders and other highly privileged personnel, with executive targeting rising from **59%** in January and February to **77%** in March. Attackers have persuaded victims to install remote monitoring and management tools such as **Supremo Remote Desktop** or to launch **Windows Quick Assist**, sometimes obtaining remote access within minutes before running malicious scripts. Manufacturing and professional services have been hit hardest, with finance, insurance, construction, and technology also affected, underscoring how the operators are moving faster and using more automation to scale intrusions and make early detection more difficult.
May 4, 2026
HC3 Warns Healthcare Sector on Scattered Spider Social Engineering Threat
The U.S. Department of Health and Human Services' Health Sector Cybersecurity Coordination Center (**HC3**) warned that **Scattered Spider** is actively targeting healthcare and other industries with sophisticated social engineering, including help-desk impersonation, phishing, MFA fatigue, SIM swapping, and AI-assisted lures. The financially motivated group—also tracked as **Octo Tempest**, **UNC3944**, **0ktapus**, and **Muddled Libra**—has built a reputation for using native English-speaking operators to trick employees and IT staff into resetting passwords, enrolling attacker-controlled MFA devices, and granting remote access. Federal guidance says the actors often abuse trusted tools and cloud services after initial access, making intrusions harder to distinguish from legitimate activity. U.S. agencies and private-sector researchers have linked Scattered Spider to data theft, extortion, and collaboration with **ALPHV/BlackCat** ransomware operations, with victims spanning hospitality, gaming, retail, technology, and now heightened concern for healthcare organizations. Microsoft and the FBI/CISA have described the group as unusually dangerous because it combines persuasive phone-based deception with credential theft, reconnaissance, privilege escalation, mailbox manipulation, and deployment of ransomware on Windows, Linux, and **VMware ESXi** environments. Authorities have also tied the group to major incidents including attacks on MGM Resorts and Caesars, while UK investigators later examined whether Scattered Spider was connected to disruptive cyberattacks against retailers.
May 25, 2026