FBI Alerts on Silent Ransom Group Targeting Law Firms

The FBI has issued an alert (PDF) about the Silent Ransom Group (SRG), also known as Luna Moth, Chatty Spider, and UNC3753, which has been actively targeting U.S.-based law firms through social engineering tactics. SRG’s recent focus on legal firms began in Spring 2023, likely due to the sensitive nature of legal data. While law firms are the primary target, the group also targets other sectors like medical and insurance industries.

Operating since 2022, SRG is best known for its callback phishing scams. These typically involve fake subscription emails that prompt recipients to call a number to cancel charges. During the call, the victim is tricked into downloading remote access software, giving SRG access to their system. Once inside, the group exfiltrates sensitive data and sends a ransom email threatening to publish or sell the stolen information unless payment is made.

In early 2025, SRG evolved its tactics to include direct phone calls, posing as IT staff from the victim’s organization and instructing employees to join remote sessions. Once access is granted, data is exfiltrated using tools like WinSCP or disguised versions of Rclone. The attacks typically avoid privilege escalation and are quick to extract valuable data.

SRG has a public site to leak victim data but uses it inconsistently. They may also pressure victims by calling employees during ransom negotiations. Their operations leave minimal forensic traces and often go undetected by antivirus software because they rely on legitimate tools. Indicators of SRG activity include unexpected downloads of remote access tools (e.g., AnyDesk, Zoho Assist), external connections via WinSCP or Rclone, phishing emails referencing fake subscriptions, and phone calls or voicemails claiming data theft. Defenders are urged to monitor for these behaviors as possible signs of compromise.

Takeaway: SRG’s approach makes one thing crystal clear; they’re a skilled, methodical adversary playing the long game with ruthless efficiency. The FBI’s alert reads more like a blueprint for an advanced ransomware operation that you wouldn’t expect to see from low-level cybercriminals. These aren’t amateurs.

They’re getting in through slick social engineering, escalating privileges when they need to, and zeroing in on sensitive data using tools like WinSCP and Rclone, often masked behind legitimate remote access tools like AnyDesk and Zoho Assist. That’s not just stealth, it’s surgical. It’s seasoned. It’s dangerous.

They’re not dropping ransom notes on locked screens. They’re embedded, siphoning off data, and calling employees by name like they’ve been on payroll for months. It’s quiet, calculated extortion that hits where it hurts.

And law firms? They’re prime targets. These shops are loaded with confidential gold, from financials to IP, merger docs, litigation playbooks, and privileged emails. Everything a threat actor could want, all in one place. Double extortion thrives on leverage, and leaking a high-profile client’s dirty laundry is about as high-leverage as it gets.

The real vulnerability? Many of these firms just made the jump from paper to digital and are still playing catch-up on basic security, incident response, even endpoint tools, leaving them wide-open for attackers.

Law firms that dismiss the threat from groups like SRG are underestimating both the intent and capability of today’s ransomware operators. Sooner or later, that kind of miscalculation carries a serious price.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more, and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.