Silent Ransom Group targets law firms with fake IT support calls

The Silent Ransom Group extortion gang is actively targeting U.S. law firms and professional services organizations in social engineering attacks that often lead to data theft within hours of initial contact, according to a new report by cybersecurity firm Mandiant.

The report follows an FBI FLASH advisory published last week warning that the Silent Ransom Group was targeting U.S. law firms in social engineering and even in-person data theft attacks, with Mandiant now providing additional technical details about how the intrusions are conducted.

Mandiant says the threat group, tracked as UNC3753, Luna Moth, and Chatty Spider, targeted dozens of organizations across the legal, financial, and professional services sectors between January and May 2026. 

Mandiant warned that legal firms remain especially attractive targets because they store large volumes of highly sensitive client information and may feel pressured to resolve extortion incidents to avoid reputational and regulatory damage.

"Legal services firms represent high-value targets for extortion actors. They maintain concentrated repositories of extremely sensitive client transaction files, merger and acquisition plans, client trade secrets, and corporate regulatory reports," explains Mandiant. 

"Threat groups recognize that legal entities are subject to heavy reputational and regulatory exposure and may be highly motivated to resolve extortion situations quietly to protect their professional standing."

The researchers say the attacks begin with invoice-themed phishing emails from consumer email accounts. These emails do not contain malicious links or attachments and instead serve as a precursor for follow-up phone calls from attackers impersonating corporate IT staff.

Conducting attacks via voice calls has been an ongoing tactic by these threat actors for years, which they previously used in BazarCall social engineering campaigns tied to Ryuk and Conti ransomware attacks. A callback phishing attack is when threat actors send benign-looking phishing emails containing alarming or IT-related lures that prompt the recipient to call them back at an enclosed phone number.

In the current campaign, the Silent Ransom Group impersonates IT help desks and convinces employees to join remote support sessions via Microsoft Teams, Zoom, Quick Assist, or Microsoft Terminal Services.

During these sessions, the threat actors trick the target into installing remote monitoring and management tools such as AnyDesk, Zoho Assist, Bomgar, or SuperOps, thereby granting them initial access to the corporate network.

Silent Ransom Group attack flow

Mandiant also discovered phishing domains tied to the campaign that impersonate internal IT portals using naming patterns such as:

The researchers say the threat actors also use privnote[.]com, a self-destructing messaging service, to share installation links and commands with targets during remote support sessions. According to Mandiant, this tactic helps reduce forensic artifacts left in browser histories or corporate chat logs.

Once inside a network, the group searches for sensitive legal and financial documents, including contracts, tax records, Social Security numbers, and merger or acquisition files. The attackers commonly target document management platforms and cloud storage repositories before exfiltrating the data using tools such as WinSCP or Rclone.

Mandiant says the extortion operation is highly aggressive, with ransom demands often arriving within 30 minutes of the attackers leaving the victim environment. 

"These highly aggressive extortion letters give organizations a three-day deadline to respond and initiate ransom negotiations. If the victim organization is unresponsive, the threat actors declare they will call and email target employees and external clients directly to alert them of the data breach," reports Mandiant.

"The extortion letters explicitly emphasize that the leak will compromise client trust, invite substantial regulatory fines, and suggest that external clients sue the victim organization for data mishandling."

The report also references the FBI's recent advisory in which law enforcement warned that the Silent Ransom Group was targeting U.S. law firms with in-person data theft attacks.

According to the FBI, attackers impersonate internal IT staff over phone calls and emails, then attempt to gain remote access or physically visit offices to "image" computers or create backups while secretly stealing files.

While Mandiant said there was limited forensic evidence, the researchers believe these in-person attacks are likely linked to UNC3753 based on similarities in targeting, timelines, and operational behavior.

The Silent Ransom Group has been active since at least 2022, when it was part of the Ryuk and Conti cybercrime syndicate. 

As previously reported by BleepingComputer, the threat actors were previously linked to BazarCall callback phishing campaigns that provided initial access in Conti and Ryuk ransomware attacks.

After the Conti syndicate shut down in 2022, the group shifted to standalone data theft and extortion operations under the Silent Ransom Group branding.

Researchers say the group no longer relies on traditional ransomware encryption and instead focuses entirely on data-theft extortion, in which they steal sensitive data and pressure victims into paying to prevent leaks.

A separate report released this week by Resecurity found that the gang is also operating fast-flux infrastructure to hide and protect its data-leak platforms.

DNS fast flux is a method where attackers constantly rotate a domain's IP addresses through a large pool of compromised devices to hide their infrastructure and make takedowns or blocking far more difficult.

According to the company, the infrastructure uses residential IP addresses across multiple countries and ISPs to make takedowns more difficult.

Resecurity said the group's "business-data-leaks[.]com" leak site and related infrastructure rely on residential proxy networks spread across Latin America, Eastern Europe, Central Asia, the Middle East, and Asia. The researchers also linked the infrastructure to other cybercrime-related services and domains.

To defend against the attacks, both Mandiant and the FBI recommend implementing strict verification procedures for IT support interactions, limiting remote access tools, enforcing MFA, restricting USB storage devices, and training employees to recognize voice phishing attempts.