CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 09, 2026

Silent Ransom Group Hits US Law Firms in Escalating Extortion Attacks

Dark Reading Archived Jun 09, 2026 ✓ Full text saved

The financially motivated group is combining vishing, IT impersonation, and in-person office intrusions to steal data and extort victims.

Full text archived locally
✦ AI Summary · Claude Sonnet


    CYBERATTACKS & DATA BREACHES CYBER RISK THREAT INTELLIGENCE NEWS Silent Ransom Group Hits US Law Firms in Escalating Extortion Attacks The financially motivated group is combining vishing, IT impersonation, and in-person office intrusions to steal data and extort victims. Jai Vijayan,Contributing Writer June 8, 2026 4 Min Read SOURCE: KOLDUNOV VIA SHUTTERSTOCK A financially motivated threat group is targeting US legal, professional and financial services firms in a data theft extortion campaign using a combination of phishing, voice impersonation tactics, and legitimate remote access tools. Google's Mandiant division attributed the activity to UNC3753, a threat cluster associated with the Silent Ransom group, which is known for stealing high-value data from victims and then extorting ransoms from them under the threat of public disclosure.  UNC3753 Hits Dozens in Targeted Attacks Between January and May 2026, the group targeted dozens of organizations with social engineering attacks to gain initial access to victim environments.  "UNC3753 leverages voice phishing (vishing) and social engineering deception techniques to achieve remote access into corporate environments," Google said in a recent blog post. "Using pretexts such as data migration or invoice related emails, the threat actors initiate phone conversations posing as IT support and convince targets to host screen-sharing sessions and download remote monitoring and management (RMM) utilities." Related:Iran Signed a Ceasefire — Its Hackers Didn't In some of the incidents, the attackers used "escalating tactics" that included posing as IT staff to gain physical access to corporate offices to attempt direct data theft from endpoint devices, Google said. Last month, the FBI warned about members of the group, also tracked as Luna Moth and Chatty Spider, personally showing up at a victim's office location on the pretext of needing to reimage their system and inserting a USB device into it for stealing data. Mandiant observed the threat actors operating very quickly once they gained initial access to victim environments. In several cases it investigated, UNC3753 progressed from initial contact to data theft and extortion in under a day. In more recent intrusions, the group compressed that timeline even further, with some incidents moving from compromise to data exfiltration and ransom demands in less than an hour, according to the blog post. A Multistage Extortion Attack Chain The typical attack chain begins with the targeted individual receiving a suspicious looking, but benign, invoice-themed email from the attacker with no malicious attachments or links. The attacker then uses the benign phishing email as a pretext for initiating a follow-up voice call with the recipient, pretending to be a member of the victim organization's internal IT help desk or security support team.   "The callers use a variety of verbal instructions to guide target behavior," Google said. "Under the guise of addressing a security issue or aiding with a corporate data migration project, they build trust and direct the target to join a screen-sharing session," via Zoom, Microsoft Teams and other platforms. Related:Exposed Fuel Tank Gauges Under Attack in the US When possible, UNC3753 actors try to establish more persistent access on a compromised device by tricking the victim into downloading AnyDesk, Zoho Assist or other remote monitoring and management tool. Mandiant observed the threat actor also abusing bring-your-own-device (BYOD) remote work setups to gain access to corporate environments. In multiple cases, the attackers initiated Zoom sessions on personal devices belonging to targeted individuals and then used those endpoints to access enterprise virtual desktop infrastructure (VDI) through tools such as Windows 365 and Citrix clients.  Once on a system, the attackers rapidly enumerate infected devices, map local and network drives, and identify sensitive document repositories, according to Google. They also leverage built-in search capabilities in enterprise platforms such as iManage to locate and stage high-value files, including tax records, client agreements, and personally identifiable information. UNC3753 transmits stolen data using multiple methods, including portable file transfer tools such as WinSCP and Rclone, as well as direct uploads to attacker-controlled cloud storage accounts via a victim’s browser. Mandiant also observed instances where the threat actors manipulated victims into dragging and dropping staged files into cloud folders during screen-sharing sessions or used tools like FTP to move stolen data to its servers. Related:Rust-Written IronWorm Hits NPM Supply Chain Often, in as little as 30 minutes after successful data exfiltration, UNC3753 actors contact the victim with an aggressive extortion demand and give them three days to comply or risk having their sensitive data publicly disclosed. A sample extortion email that Mandiant posted showed the attackers threatening to notify "employees, partners and customers" about the data theft before also publicly publishing it.  "You will receive claims from individuals, and legal entities for information leakage and breach of contracts, your current deals will be terminated," the extortion email warned. "Journalists and others will dig into your documents, finding inconsistencies or violations in them. Your organization will lose its reputation, shares will fall in price, and your organization will be forced to close." Mandiant recommended that organizations educate users about the vishing threat, particularly those tied to UNC3753's tactics, techniques and procedures. Other measures organizations can take, Google said, include implementing conditional access policies for remote access and enforcing strict controls on the use of remote monitoring and management (RMM) tools and screen sharing. About the Author Jai Vijayan Contributing Writer Illinois-based Jai Vijayan is a veteran, award-winning technology journalist with more than 25 years of experience covering cybersecurity. His information security reporting has explored everything from ransomware, nation-state threats, and identity security to AI risk, critical infrastructure protection, software supply chain security, cloud security and emerging enterprise technologies.  Over the course of his career, Jai has written news stories, feature articles, survey reports, white papers, and e-books for enterprise and technology audiences. He has also moderated panel discussions and executive roundtables featuring CISOs, security researchers, and industry leaders.  Jai previously served as senior editor at Computerworld, where he covered information security and data-privacy issues. His work has also appeared in CSO Online, InformationWeek, The Christian Science Monitor Passcode, The Economic Times, and other publications. His work has earned multiple industry honors, including a Joint ASBPE Excellence Award for Best Coverage of Government IT, and a Joint Jesse H. Neal Award for wireless LAN security coverage. Jai holds a Master’s degree in statistics from Bangalore University, and studied broadcasting and electronic communication at Marquette University in Milwaukee.   Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Essential News & Insights from Black Hat USA 2025 How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Access More Research Webinars Advanced Persistent Threats: A Practical Guide to Detection and Response The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack Defending in the Shadow Era: When the CVE Feed Goes Dark Building SecOps That Make the Most of Every Dollar More Webinars You May Also Like CYBERATTACKS & DATA BREACHES Critical Fortinet Flaws Under Active Attack by Jai Vijayan, Contributing Writer DEC 17, 2025 CYBERATTACKS & DATA BREACHES CISA Warns of 'Ongoing' Brickstorm Backdoor Attacks by Rob Wright DEC 04, 2025 CYBERATTACKS & DATA BREACHES F5 BIG-IP Environment Breached by Nation-State Actor by Alexander Culafi OCT 15, 2025 CYBERATTACKS & DATA BREACHES Jaguar Land Rover Shows Cyberattacks Mean (Bad) Business by Robert Lemos, Contributing Writer OCT 03, 2025 Editor's Choice CYBERSECURITY OPERATIONS 20 Leaders Who Built the CISO Era: 2 Decades of Change byDark Reading Editorial Team MAY 12, 2026 41 MIN READ APPLICATION SECURITY It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight byJai Vijayan MAY 12, 2026 5 MIN READ CYBERATTACKS & DATA BREACHES Instructure Breach Exposes Schools' Vendor Dependence byAlexander Culafi MAY 6, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Advanced Persistent Threats: A Practical Guide to Detection and Response TUESDAY, JUNE 30, 2026 @ 1:00 PM EASTERN DAYLIGHT TIME The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed TUESDAY, JUNE 23, 2026 1:00 PM EDT Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack THURS, JUNE 25, 2026, AT 1PM EST Defending in the Shadow Era: When the CVE Feed Goes Dark TUES, JUNE 16, 2026 AT 1PM EST Building SecOps That Make the Most of Every Dollar THURS, JULY 9, 2026 AT 1PM EST More Webinars AUG 1-6 | MANDALAY BAY, LAS VEGAS USE CODE: DARKREADING & SAVE $200 ON A BRIEFINGS PASS OR $100 ON A BUSINESS PASS The premier cybersecurity event returns. GET YOUR PASS ANATOMY OF A DATA BREACH This comprehensive virtual event examines the main vulnerabilities and exploits that lead to enterprise data breaches, plus the latest tools and best practices for conducting incident response. BEAT HACKERS TO IT
    💬 Team Notes
    Article Info
    Source
    Dark Reading
    Category
    ◇ Industry News & Leadership
    Published
    Jun 09, 2026
    Archived
    Jun 09, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗