The FBI is cautioning US law firms that they have become frequent targets of the Silent Ransom Group (SRG) extortion gang.
Also known as Chatty Spider, Luna Moth, and UNC3753, SRG has been active since 2022, historically relying on callback phishing emails as its initial attack vector.
Impersonating well-known businesses, SRG’s phishing emails claim to charge small amounts of “subscription fees” and instruct victims to call the attackers to purportedly cancel the fake subscription.
After the victim makes contact by phone, SRG cybercriminals email a link that leads to remote access software, providing the threat actor with access to a device or system. The group then exfiltrates valuable information from the victim and holds it for ransom, threatening to release it publicly.
According to a fresh FBI alert (PDF), the extortion group changed its tactics two months ago, switching to phone calls as the initial attack vector.
“As of March 2025, SRG was observed changing their tactics to calling individuals and posing as an employee from their company’s IT department. SRG will then direct the employee to join a remote access session, either through an email sent to them, or navigating to a web page,” the FBI notes.
After gaining access to the target devices, the group tells the victims that work needs to be done overnight, and then proceeds to escalate privileges and exfiltrate data of interest (usually via WinSCP or Rclone), which is then used for extortion.
SRG then sends a ransom email to the victim company, threatening to leak the stolen information online, and may also call the firms’ employees to pressure them. The group maintains a leak site where it inconsistently posts victim data.
While most of SRG’s victims are law firms, the extortion group has also targeted organizations in the medical and insurance sectors.
The FBI warns that SRG attacks result in few artifacts being present on compromised devices, mainly because the threat actor typically uses legitimate remote access and system management tools, which are not flagged by traditional antivirus products.
To hunt for compromise, defenders should look for unauthorized downloads of remote access utilities, WinSCP or Rclone connections, emails regarding subscription services, unsolicited phone calls to employees, and ransom emails, voicemails, or phone calls.
Organizations are advised to train their employees on phishing, implement policies around IT staff authenticating with employees, maintain regular backups of data, and implement multi-factor authentication for all employees.
The FBI asks SRG victims to share information on the attacks, such as ransom notes, phone numbers, voicemails, cryptocurrency wallet information, and the origin of phishing emails or phone calls.
Related: Nova Scotia Power Confirms Ransomware Attack, 280k Notified of Data Breach
Related: Marks & Spencer Expects Ransomware Attack to Cost $400 Million
Related: Ransomware Attack Forces Kettering Health to Cancel Procedures
Related:Second Ransomware Group Caught Exploiting Windows Flaw as Zero-Day
