CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 28, 2026

Silent Ransom Group Targets Law Firms With IT Support Impersonation Attacks

Cybersecurity News Archived May 28, 2026 ✓ Full text saved

A threat group known as the Silent Ransom Group is actively targeting US-based law firms using a bold and deceptive social engineering playbook. Rather than deploying ransomware in the traditional sense, this group goes straight for the data and then turns it into a weapon against the very organizations it stole from. The Silent Ransom […] The post Silent Ransom Group Targets Law Firms With IT Support Impersonation Attacks appeared first on Cyber Security News .

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Silent Ransom Group Targets Law Firms With IT Support Impersonation Attacks By Tushar Subhra Dutta May 28, 2026 A threat group known as the Silent Ransom Group is actively targeting US-based law firms using a bold and deceptive social engineering playbook. Rather than deploying ransomware in the traditional sense, this group goes straight for the data and then turns it into a weapon against the very organizations it stole from. The Silent Ransom Group (SRG), also tracked under the aliases Luna Moth, Chatty Spider, and UNC3753, has been active since at least 2022. The group operates across several industries, including insurance, finance, and healthcare, but law firms have been a consistent and primary focus since Spring 2023. Their method is straightforward but highly effective: trick employees into trusting them, gain inside access, steal the data, and demand payment before it goes public. The FBI said in a report shared with Cyber Security News (CSN) that SRG actors have recently escalated their tactics in a way that makes detection far more difficult. Instead of relying on malicious software that antivirus tools might catch and flag, they use legitimate remote access tools to blend in with normal IT activity. That deliberate shift has made their campaigns significantly harder to spot and far harder to stop. What sets SRG apart from most ransomware groups is that they skip encryption entirely. There is no locked system, no ransom note on the desktop, no sudden system shutdown. Instead, the attackers quietly steal sensitive files and then threaten to sell or publish that data publicly unless the victim pays up. For law firms holding highly confidential client records, that threat alone is often enough to force compliance. The extortion does not stop with a single ransom email. SRG actors also call employees and clients of victimized organizations directly, applying heavy additional pressure to push victims toward paying. Any stolen data that goes unpaid ends up posted to the group’s public-facing leak site, business-data-leaks[.]com, for anyone online to find and access. Silent Ransom Group Targets Law Firms As of Spring 2026, SRG actors have shifted to impersonating IT department staff to gain a foothold inside target organizations. They either call employees directly or send phishing emails urging them to reach out to what appears to be their own internal IT support team. Once the target is on the phone, the attacker tries to convince them to allow remote desktop access right away. If the remote approach fails, SRG takes things a dramatic step further. The group has been known to physically send a person to the victim’s location, where the individual pretends to be a legitimate IT technician. The fake technician claims they need to image the device or create a backup file due to a recent phishing threat, giving them reason to plug a USB or external hard drive directly into the victim’s computer. Once access is obtained, attackers move quickly. They use tools like WinSCP or a hidden version of Rclone to pull data off the network and push it to cloud storage or carry it out on a physical drive. The entire operation is carefully designed to stay under the radar while extracting as much valuable data as possible. Defending Against SRG Attacks The FBI has outlined several steps organizations can take to reduce their exposure to this type of threat. Verifying the identity of anyone who shows up claiming to be IT support is a critical first step, and that includes checking their ID before allowing access to any system. Organizations should also build clear internal policies around how real IT staff communicate with employees, so workers can recognize when something feels off. On the technical side, blocking port 22 where possible and disabling remote access permissions on machines that handle sensitive data can limit the pathways attackers use. Requiring phishing-resistant multi-factor authentication across services adds another layer of defense. Regular staff training on recognizing social engineering attempts, combined with routine data backups, rounds out a solid and practical defense posture. Indicators of Compromise (IoCs):- Type Indicator Description Domain business-data-leaks[.]com SRG public-facing leak site used to post stolen victim data  Tool WinSCP (Windows Secure Copy) Used by SRG actors to exfiltrate data to external IP addresses  Tool Rclone (hidden or renamed version) Used by SRG for covert data exfiltration to cloud or remote servers  Remote Access Tool Zoho Assist Unauthorized download may indicate SRG presence on a host  Remote Access Tool Quick Assist Unauthorized download may indicate SRG presence on a host  Remote Access Tool AnyDesk Unauthorized download may indicate SRG presence on a host  Remote Access Tool RustDesk Unauthorized download may indicate SRG presence on a host  Remote Access Tool Syncro Unauthorized download may indicate SRG presence on a host  Remote Access Tool Splashtop Unauthorized download may indicate SRG presence on a host  Remote Access Tool Atera Unauthorized download may indicate SRG presence on a host  Cloud Platform Microsoft OneDrive Used as an exfiltration destination for stolen victim data  Cloud Platform Google Drive Used as an exfiltration destination for stolen victim data  Network Port Port 22 Exploited to enable encrypted remote access and file transfers  Physical Media USB drive / External hard drive Inserted in-person by SRG actor for physical data exfiltration  Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Developer-Targeting Glassworm Malware Abuses npm, PyPI, OpenVSX, and GitHub Nine-year-old Linux Kernel Vulnerability Let Attackers Exfiltrate SSH Private Keys Russian Threat Groups Use RDP, VPN, Supply Chain Attacks, and Social Engineering for Initial Access Hackers Use Fake ChatGPT and Claude Installers to Deploy DinDoor Backdoor China-Linked Hackers Target Southeast Asian Edge Routers With Custom Linux Implant Latest News Cyber Security News SBI Warns of Scammers are Sending Fake Messages Claiming Your YONO App Will be Deactivated Cyber Attack News FortiClient EMS Code Execution Vulnerability Exploited to Deploy EKZ Malware Cyber Security Anthropic Updates Claude Code With Security Plugin and Faster Performance Cyber Security News GHOST STADIUM Phishing Campaign Targets FIFA World Cup Fans With 300+ Fake Domains Cyber Security News Hackers Use Grandoreiro Malware to Target Portuguese Banks and Latin American Companies
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 28, 2026
    Archived
    May 28, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗