A threat actor known as the Silent Ransom Group is conducting targeted attacks against US law firms using sophisticated social engineering techniques that bypass traditional ransomware detection methods. The group, which has been active since at least 2022 and operates under multiple aliases including Luna Moth, Chatty Spider, and UNC3753, focuses on data theft and extortion rather than system encryption. According to an FBI report, the attackers have recently escalated their tactics by impersonating internal IT department staff to gain unauthorized access to victim networks.

The group's operational approach differs significantly from conventional ransomware campaigns. Instead of deploying malicious software that encrypts files and demands payment for decryption keys, Silent Ransom Group actors steal sensitive data and threaten to publish it on their leak site, business-data-leaks[.]com, unless victims comply with ransom demands. This method proves particularly effective against law firms that handle confidential client information. The attackers also contact employees and clients directly by phone to increase pressure on victims to pay.

Silent Ransom Group employs multiple attack vectors to establish initial access. Attackers either call employees directly or send phishing emails that appear to come from legitimate IT support, convincing targets to grant remote desktop access. The group uses legitimate remote access tools such as Zoho Assist, Quick Assist, AnyDesk, RustDesk, Syncro, Splashtop, and Atera to blend in with normal IT operations. In cases where remote access attempts fail, the group has escalated to physical intrusion by sending individuals posing as IT technicians to victim locations. These fake technicians claim they need to image devices or create backups due to phishing threats, then use USB drives or external hard drives to directly exfiltrate data.

Once inside victim networks, attackers move quickly to extract valuable information. They utilize tools like WinSCP and hidden versions of Rclone to transfer stolen data to cloud storage platforms including Microsoft OneDrive and Google Drive, or physically remove it on external drives. The group exploits port 22 for encrypted remote access and file transfers. This careful operational design allows them to remain undetected while extracting maximum amounts of sensitive data from compromised organizations.

The FBI recommends several defensive measures to protect against these attacks. Organizations should verify the identity of anyone claiming to be IT support before granting system access, including checking physical identification. Establishing clear internal policies for IT staff communications helps employees recognize suspicious requests. Technical controls include blocking port 22 where feasible, disabling remote access on systems handling sensitive data, and requiring phishing-resistant multi-factor authentication across all services. Regular employee training on social engineering recognition combined with routine data backups provides additional protection against this threat.

Source: https://cybersecuritynews.com/silent-ransom-group-targets-law-firms/