Silent Ransom Group Hits US Law Firms in Escalating Extortion Attacks
Dark ReadingArchived Jun 09, 2026✓ Full text saved
The financially motivated group is combining vishing, IT impersonation, and in-person office intrusions to steal data and extort victims.
Full text archived locally
✦ AI Summary· Claude Sonnet
CYBERATTACKS & DATA BREACHES
CYBER RISK
THREAT INTELLIGENCE
NEWS
Silent Ransom Group Hits US Law Firms in Escalating Extortion Attacks
The financially motivated group is combining vishing, IT impersonation, and in-person office intrusions to steal data and extort victims.
Jai Vijayan,Contributing Writer
June 8, 2026
4 Min Read
SOURCE: KOLDUNOV VIA SHUTTERSTOCK
A financially motivated threat group is targeting US legal, professional and financial services firms in a data theft extortion campaign using a combination of phishing, voice impersonation tactics, and legitimate remote access tools.
Google's Mandiant division attributed the activity to UNC3753, a threat cluster associated with the Silent Ransom group, which is known for stealing high-value data from victims and then extorting ransoms from them under the threat of public disclosure.
UNC3753 Hits Dozens in Targeted Attacks
Between January and May 2026, the group targeted dozens of organizations with social engineering attacks to gain initial access to victim environments.
"UNC3753 leverages voice phishing (vishing) and social engineering deception techniques to achieve remote access into corporate environments," Google said in a recent blog post. "Using pretexts such as data migration or invoice related emails, the threat actors initiate phone conversations posing as IT support and convince targets to host screen-sharing sessions and download remote monitoring and management (RMM) utilities."
Related:Iran Signed a Ceasefire — Its Hackers Didn't
In some of the incidents, the attackers used "escalating tactics" that included posing as IT staff to gain physical access to corporate offices to attempt direct data theft from endpoint devices, Google said. Last month, the FBI warned about members of the group, also tracked as Luna Moth and Chatty Spider, personally showing up at a victim's office location on the pretext of needing to reimage their system and inserting a USB device into it for stealing data.
Mandiant observed the threat actors operating very quickly once they gained initial access to victim environments. In several cases it investigated, UNC3753 progressed from initial contact to data theft and extortion in under a day. In more recent intrusions, the group compressed that timeline even further, with some incidents moving from compromise to data exfiltration and ransom demands in less than an hour, according to the blog post.
A Multistage Extortion Attack Chain
The typical attack chain begins with the targeted individual receiving a suspicious looking, but benign, invoice-themed email from the attacker with no malicious attachments or links. The attacker then uses the benign phishing email as a pretext for initiating a follow-up voice call with the recipient, pretending to be a member of the victim organization's internal IT help desk or security support team.
"The callers use a variety of verbal instructions to guide target behavior," Google said. "Under the guise of addressing a security issue or aiding with a corporate data migration project, they build trust and direct the target to join a screen-sharing session," via Zoom, Microsoft Teams and other platforms.
Related:Exposed Fuel Tank Gauges Under Attack in the US
When possible, UNC3753 actors try to establish more persistent access on a compromised device by tricking the victim into downloading AnyDesk, Zoho Assist or other remote monitoring and management tool.
Mandiant observed the threat actor also abusing bring-your-own-device (BYOD) remote work setups to gain access to corporate environments. In multiple cases, the attackers initiated Zoom sessions on personal devices belonging to targeted individuals and then used those endpoints to access enterprise virtual desktop infrastructure (VDI) through tools such as Windows 365 and Citrix clients.
Once on a system, the attackers rapidly enumerate infected devices, map local and network drives, and identify sensitive document repositories, according to Google. They also leverage built-in search capabilities in enterprise platforms such as iManage to locate and stage high-value files, including tax records, client agreements, and personally identifiable information.
UNC3753 transmits stolen data using multiple methods, including portable file transfer tools such as WinSCP and Rclone, as well as direct uploads to attacker-controlled cloud storage accounts via a victim’s browser. Mandiant also observed instances where the threat actors manipulated victims into dragging and dropping staged files into cloud folders during screen-sharing sessions or used tools like FTP to move stolen data to its servers.
Related:Rust-Written IronWorm Hits NPM Supply Chain
Often, in as little as 30 minutes after successful data exfiltration, UNC3753 actors contact the victim with an aggressive extortion demand and give them three days to comply or risk having their sensitive data publicly disclosed. A sample extortion email that Mandiant posted showed the attackers threatening to notify "employees, partners and customers" about the data theft before also publicly publishing it.
"You will receive claims from individuals, and legal entities for information leakage and breach of contracts, your current deals will be terminated," the extortion email warned. "Journalists and others will dig into your documents, finding inconsistencies or violations in them. Your organization will lose its reputation, shares will fall in price, and your organization will be forced to close."
Mandiant recommended that organizations educate users about the vishing threat, particularly those tied to UNC3753's tactics, techniques and procedures. Other measures organizations can take, Google said, include implementing conditional access policies for remote access and enforcing strict controls on the use of remote monitoring and management (RMM) tools and screen sharing.
About the Author
Jai Vijayan
Contributing Writer
Illinois-based Jai Vijayan is a veteran, award-winning technology journalist with more than 25 years of experience covering cybersecurity. His information security reporting has explored everything from ransomware, nation-state threats, and identity security to AI risk, critical infrastructure protection, software supply chain security, cloud security and emerging enterprise technologies.
Over the course of his career, Jai has written news stories, feature articles, survey reports, white papers, and e-books for enterprise and technology audiences. He has also moderated panel discussions and executive roundtables featuring CISOs, security researchers, and industry leaders.
Jai previously served as senior editor at Computerworld, where he covered information security and data-privacy issues. His work has also appeared in CSO Online, InformationWeek, The Christian Science Monitor Passcode, The Economic Times, and other publications.
His work has earned multiple industry honors, including a Joint ASBPE Excellence Award for Best Coverage of Government IT, and a Joint Jesse H. Neal Award for wireless LAN security coverage. Jai holds a Master’s degree in statistics from Bangalore University, and studied broadcasting and electronic communication at Marquette University in Milwaukee.
Want more Dark Reading stories in your Google search results?
ADD US NOW
More Insights
Industry Reports
How Organizations Are Managing Incident Response
How Enterprises Are Developing Secure Applications
Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy
Essential News & Insights from Black Hat USA 2025
How Enterprises Are Harnessing Emerging Technologies in Cybersecurity
Access More Research
Webinars
Advanced Persistent Threats: A Practical Guide to Detection and Response
The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed
Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack
Defending in the Shadow Era: When the CVE Feed Goes Dark
Building SecOps That Make the Most of Every Dollar
More Webinars
You May Also Like
CYBERATTACKS & DATA BREACHES
Critical Fortinet Flaws Under Active Attack
by Jai Vijayan, Contributing Writer
DEC 17, 2025
CYBERATTACKS & DATA BREACHES
CISA Warns of 'Ongoing' Brickstorm Backdoor Attacks
by Rob Wright
DEC 04, 2025
CYBERATTACKS & DATA BREACHES
F5 BIG-IP Environment Breached by Nation-State Actor
by Alexander Culafi
OCT 15, 2025
CYBERATTACKS & DATA BREACHES
Jaguar Land Rover Shows Cyberattacks Mean (Bad) Business
by Robert Lemos, Contributing Writer
OCT 03, 2025
Editor's Choice
CYBERSECURITY OPERATIONS
20 Leaders Who Built the CISO Era: 2 Decades of Change
byDark Reading Editorial Team
MAY 12, 2026
41 MIN READ
APPLICATION SECURITY
It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight
byJai Vijayan
MAY 12, 2026
5 MIN READ
CYBERATTACKS & DATA BREACHES
Instructure Breach Exposes Schools' Vendor Dependence
byAlexander Culafi
MAY 6, 2026
4 MIN READ
Want more Dark Reading stories in your Google search results?
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
SUBSCRIBE
Webinars
Advanced Persistent Threats: A Practical Guide to Detection and Response
TUESDAY, JUNE 30, 2026 @ 1:00 PM EASTERN DAYLIGHT TIME
The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed
TUESDAY, JUNE 23, 2026 1:00 PM EDT
Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack
THURS, JUNE 25, 2026, AT 1PM EST
Defending in the Shadow Era: When the CVE Feed Goes Dark
TUES, JUNE 16, 2026 AT 1PM EST
Building SecOps That Make the Most of Every Dollar
THURS, JULY 9, 2026 AT 1PM EST
More Webinars
AUG 1-6 | MANDALAY BAY, LAS VEGAS USE CODE: DARKREADING & SAVE $200 ON A BRIEFINGS PASS OR $100 ON A BUSINESS PASS
The premier cybersecurity event returns.
GET YOUR PASS
ANATOMY OF A DATA BREACH
This comprehensive virtual event examines the main vulnerabilities and exploits that lead to enterprise data breaches, plus the latest tools and best practices for conducting incident response.
BEAT HACKERS TO IT