THREAT ACTOR

Silent

5
THREAT LEVEL
EMERGENCE DATE
Mar 2022
CATEGORY
Closed Group
Data Extortion Only
AFFILIATIONS

Former Conti ransomware syndicate operators; operates independently from likely Russia-based locations

DEscription

Emerging in March 2022 from the Conti ransomware syndicate collapse, Silent Ransom Group operates as pure data extortion without deploying encryption. Known under aliases Luna Moth, Chatty Spider, and UNC3753, operations intensified targeting U.S. law firms beginning Spring 2023. March 2025 brought tactical evolution from callback phishing to aggressive direct vishing campaigns assessed as highly effective. Despite continuous operations since 2022, the group faces no arrests or infrastructure disruptions.

CRITICALITY
Assesses the importance of the potential target, including their size/scale, data's value, and operational impact.
lethality
Evaluates the potential for damage from the attack, including the ability to disrupt operations, and cause financial loss, damage public brand image.
AGGRESSIVENESS
Assesses the psychological and tactical intensity of the group’s behavior, including targeted harassment, violent language, blackmail, and political motives.

Classifications & Affiliations

Type: Closed Group, Data Extortion Only

Silent Ransom Group operates as closed, independent data extortion organization without affiliate network or encryption capabilities. Direct lineage traces to specialized BazarCall operators who provided initial access for Ryuk and Conti before the syndicate's March 2022 collapse following ContiLeaks exposure of over 100,000 internal files. Unlike sibling operations Quantum, Roy/Zeon, and Black Basta which adopted RaaS models with encryption, the group maintains centralized control without recruiting external affiliates.

Multiple organizations track operations under different designations: Mandiant assigns UNC3753, Microsoft tracks as Storm-0252, CrowdStrike identifies as Chatty Spider, and Sygnia uses TG2729. Operations show patterns consistent with Russian-nexus threat actors, including deliberate exclusion of ex-Soviet and CIS countries from targeting.

Current Status: Active with volatile operational tempo; May 2025 surge brought significant activity increase before substantial decline by mid-2025

Threat Level:
5

Origins and Methodology

Silent Ransom Group weaponizes only legitimate commercial software, never deploying custom malware or encryption. Professional English-speaking call center operations guide victims through voluntary RMM tool installation. By March 2025, Reamaze AI-powered chatbots automated initial victim engagement on typosquatted helpdesk portals.

What is the Evolution of Silent Ransomware?
0.1
Formation

First incident occurred June 7, 2022, three months after Conti's collapse. Initial campaigns between May and October 2022 targeted organizations across legal, retail, and healthcare sectors through callback phishing spoofing subscription services including Duolingo, MasterClass, and online learning platforms.

Analysis identified close to 90 domain names associated with these operations. Fake invoices showed charges under one thousand dollars with obfuscated VoIP numbers reaching professional call centers. Remote access deployed Zoho Assist, Atera, and Splashtop with data exfiltration through WinSCP and Rclone to servers on 192.236.128.0/17 network range.

0.2
EVOLUTION

Around 2023, targeting refined to focus on U.S. law firms following recognition that legal sector data carries exceptional extortion leverage. Legal services organizations represented approximately 40% of documented victims through 2024. Victim-specific infrastructure replaced earlier shared resources, with unique domains registered per target. Ransom demands escalated to multi-million dollar ranges calculated from researched target revenues.

Current operations since late 2024 brought rebranding under LeakedData identity with new leak infrastructure. March 2025 marked substantial tactical evolution, abandoning passive email-based callback phishing for aggressive direct vishing campaigns. Operators now proactively call employees claiming to represent internal IT departments, asserting urgent maintenance needs requiring immediate remote access.

Infrastructure supporting this evolution included multiple typosquatted domains through GoDaddy following company-name-helpdesk[.]com patterns.

0.3
Lineage/Connections

Direct lineage traces to Conti ransomware syndicate through specialized BazarCall operators active before March 2022. Connections exist to broader Wizard Spider threat actor collective associated with Ryuk and Conti operations.

Sibling relationships with other Conti successor groups including Quantum, Black Basta, Roy/Zeon, and Karakurt share common heritage though operational models diverge. Some intelligence suggests initial relationship as operational arm of Royal before establishing full independence.

Which Unique Techniques Does Silent Use?

Operations rely entirely on social engineering and legitimate software abuse, generating minimal forensic artifacts that traditional security tools can detect.

TECHNIQUE

DETAILS

Infection Vectors

Callback phishing emails spoofing subscription services with fake invoices under one thousand dollars (2022-early 2025); direct vishing attacks beginning March 2025 with operators calling employees impersonating IT staff requesting immediate remote access for urgent maintenance

Target Selection

Over 90% of victims within United States; U.S. law firms comprise primary targets since Spring 2023 for attorney-client privileged communications and exceptionally low tolerance for data exposure; secondary targeting includes healthcare, financial services, insurance, and professional services organizations with revenue analysis calibrating ransom demands to organizational financial capacity

Operational Complexity

High social engineering paired with moderate technical complexity; professional call centers with native English speakers; AI-powered chatbots through Reamaze platform by 2025; technical operations use only commercially available legitimate software without custom malware development or vulnerability exploitation

Key Features & Technical Details

Operations fundamentally depart from traditional ransomware, operating entirely without malware deployment or encryption capabilities.

FEATURE

DETAILS

Encryption Method

No encryption deployed; operates as pure data extortion

File Extension

Not applicable; no file encryption

Ransom Note

Email-based extortion communications threatening data publication, sale to competitors, or direct client contact

Double Extortion

Pure data exfiltration using WinSCP for SFTP transfers and Rclone for cloud synchronization; WinSCP Portable used when devices lack administrative privileges

Communication Channels

Professional call centers with VoIP infrastructure; typosquatted helpdesk domains via GoDaddy using domaincontrol[.]com nameservers; AI-powered chatbots via Reamaze; clearweb leak sites at business-data-leaks[.]com

Deployment Speed

Rapid operations completing data exfiltration within hours to days; minimal privilege escalation with immediate pivot to data theft

Payment Method

Bitcoin exclusively; unique BTC wallets per victim containing only two to three transactions before immediate emptying

Operational Model

Closed independent operation without affiliate network; revenue-based extortion calculations

Activities

May 2025 surge brought significant activity increase with numerous organizations claimed following March 2025 vishing tactic implementation; activity declined substantially by mid-2025 continuing volatile operational patterns.

Nearly all documented victims operate within United States.

Which Industries Are Most Vulnerable to Silent?

U.S. law firms represent approximately 40% of victims since Spring 2023; financial services institutions comprise roughly one-quarter; healthcare, insurance, professional services, and accounting firms complete target landscape.

HAL Most Recent Attacks

Modus Operandi

Multi-stage methodology relies exclusively on social engineering and legitimate software abuse.

Details

Phishing: Spearphishing Link (T1566.002) via callback phishing dominated 2022 through early 2025 operations; fake invoices from Duolingo, MasterClass, and subscription services showing charges under one thousand dollars included obfuscated VoIP numbers reaching English-speaking call center operators.

March 2025 tactical shift to proactive vishing attacks; operators call law firm employees claiming to represent internal IT departments, asserting urgent overnight maintenance needs; victims directed to typosquatted domains like targetfirm-helpdesk[.]com registered through GoDaddy for remote access tool downloads.

Details

SoftPerfect Network Scanner conducts network reconnaissance; SharpShares enumerates network shares via Network Share Discovery (T1135).

File and Directory Discovery (T1083) targets local drives and network-shared folders seeking legal communications for law firm victims, protected health information for healthcare targets, and financial records for financial services organizations.

Details

Remote Access Software (T1219) deployment uses Zoho Assist as primary tool, supplemented by AnyDesk, Syncro, Splashtop, Atera, TeamViewer, ScreenConnect, and SuperOps; social engineering during callback phishing or vishing calls guides victims through voluntary installation posing as IT support.

Screen blanking features hide operator activities during active sessions; multiple redundant tools on single systems ensure continued access if defenders remove one application.

Details

Masquerading (T1036) through IT staff impersonation and System Binary Proxy Execution (T1218) using signed legitimate software from Zoho, AnyDesk, Syncro, and similar vendors; all tools carry valid digital signatures bypassing antivirus and EDR validation.

Callback phishing creates victim-initiated contact appearing as legitimate IT support requests; screen blanking during RMM sessions hides operator activities from users at compromised workstations.

Details

Minimal credential harvesting required as RMM tools operate within user security contexts granted during social engineering; Rclone and WinSCP credentials for exfiltration obtained through guided installation during initial access calls or extracted from browser password stores using remote access capabilities.

Details

Zoho Assist, AnyDesk, and other RMM platforms provide encrypted communication channels for operator commands; legitimate remote access protocols blend with normal IT support traffic avoiding network monitoring alerts.

2022 campaigns used exfiltration servers on 192.236.128.0/17 network range with random five-letter .xyz domains; current operations since 2024 shifted to cloud storage services including Rclone synchronization and SFTP servers on Hostwinds hosting infrastructure.

Details

Rapid pivot to data exfiltration minimizes lateral movement needs; SharpShares enumeration identifies accessible network shares for data collection using compromised user permissions rather than exploit-based propagation techniques.

Details

WinSCP transfers data via SFTP (T1048) to attacker-controlled servers; Rclone synchronizes stolen files to cloud storage services (T1537).

WinSCP Portable executes on non-administrative accounts during initial callback phishing or vishing sessions; operators frequently rename Rclone executables to evade process monitoring; compression using 7-Zip or WinRAR before transfer with data volumes ranging from gigabytes to over one terabyte.

Details

Syncro RMM installations provide persistence through registry modifications and scheduled tasks for extended access; multiple redundant RMM applications ensure continued access if defenders remove one tool.

March 2025 direct vishing campaigns often complete data exfiltration during initial remote access sessions without establishing long-term persistence mechanisms.

Details

Systems remain operational during attacks as no encryption occurs, though stolen data remains in attacker possession creating permanent exposure risk regardless of victim response actions.

Details

No encryption deployment; operates as pure data extortion without ransomware capabilities.

Details

Financial Theft (T1657) through ransom emails arriving shortly after or before completing data exfiltration, threatening publication on leak sites, sale to competitors, or direct contact with victim's largest clients. Communications name specific high-value clients identified from stolen data.

Data leak sites including business-data-leaks[.]com operate on clearweb with victim names and countdown timers though inconsistent usage patterns create strategic uncertainty; post-payment behavior proves unreliable with documented cases where attackers ceased communication after receiving payments without providing proof of data deletion.

Details

RMM tools including Zoho Assist, Syncro, and AnyDesk typically remain installed post-exfiltration; legitimate software usage generates normal system logs making forensic artifact removal unnecessary.

Indicators of Compromise (IOCs)

Detection requires behavioral analytics identifying abuse of legitimate tools and anomalous user activities.

INDICATOR

DETAILS

File Hashes

No malware file hashes exist; group deploys only legitimate commercially licensed software including digitally signed binaries from Zoho, AnyDesk, Syncro, Splashtop, Atera, TeamViewer, ScreenConnect, SuperOps, WinSCP, and Rclone

IP Addresses

Historical exfiltration infrastructure: 192.236.128.0/17 network range
Data leak site infrastructure: 72.167.172.84 associated with GoDaddy hosting
Monitoring for unusual SFTP connections on port 22 to external addresses

Domains/URLs

Typosquatted helpdesk portals: company-name-helpdesk[.]com or company-name-help[.]com formats registered via GoDaddy using domaincontrol[.]com nameservers
Historical campaigns: random five-letter .xyz domains
Data leak site: business-data-leaks[.]com
Email confirmations: confirmations@godaddy[.]com

File Paths

Unauthorized installations of remote access tools in user directories
Portable versions of WinSCP executing from temporary folders
Rclone with hidden or renamed executables
Persistence mechanisms may place Syncro in startup folders or registry run keys

File Extensions

Not applicable; no file encryption

Exploits and Vulnerabilities

Operations do not exploit CVE vulnerabilities or technical weaknesses. Operational model relies exclusively on social engineering and legitimate software abuse.

EXPLOITS AND VULNERABILITIES

CVE

CVSS

DESCRIPTION

No CVE vulnerabilities exploited - Operations rely exclusively on social engineering and legitimate software abuse without technical vulnerability exploitation

Additional Attack Vectors: Human and organizational vulnerabilities represent exclusive attack surface including social engineering susceptibility, lack of IT authentication protocols, security awareness training gaps, trust in legitimate tools, and urgency exploitation. Organizational weaknesses include digital transformation gaps particularly affecting law firms transitioning from paper to digital operations, inadequate cybersecurity controls, weak incident response planning, limited data governance, and insufficient network segmentation. Technical configuration vulnerabilities encompass unrestricted outbound SFTP traffic, RMM tool proliferation, lack of application whitelisting, insufficient monitoring creating EDR and XDR gaps, and missing MFA on critical systems.