Ransomware Threat: How the Silent Ransom Group is Infiltrating Law Firms
TL;DR
- The Silent Ransom Group is targeting U.S. law firms with highly convincing IT impersonation scams to gain remote access and steal sensitive client data.
- The FBI says the group has changed tactics since spring 2025, moving from callback phishing to vishing and even occasional in-person access attempts when remote access fails.
- The campaign is especially dangerous because it relies on legitimate admin tools like WinSCP and Rclone, which can help the attackers exfiltrate data without triggering traditional security alerts.
A stealthy extortion campaign now focused on law firms
A cybercriminal group known as the Silent Ransom Group, also tracked as Luna Moth, Chatty Spider, and UNC3753, is drawing renewed attention after FBI warnings about its targeted campaign against U.S. law firms. The group is not using classic ransomware encryption in most of these incidents; instead, it is stealing sensitive data and threatening to leak it unless victims pay.
Security researchers and law enforcement say the appeal of law firms is clear: legal organizations hold confidential client records, deal-related documents, litigation files, and privileged communications that are highly valuable for extortion. The FBI says the group has consistently targeted U.S.-based law firms since spring 2023, with activity continuing into 2025.
How the attacks work
The group’s earlier playbook centered on callback phishing. Victims received emails that looked like billing notices or subscription-related messages, prompting them to call a number to resolve a fake issue. Once on the phone, an attacker would pose as IT support and persuade the employee to install remote access software.
According to the FBI, the group has since shifted to vishing — voice phishing — where attackers directly call employees and impersonate internal IT staff. The goal is the same: convince the target to allow a remote support session so the attacker can access the workstation under the guise of fixing a made-up technical problem.
If that fails, the group has also used more aggressive tactics. The FBI says Silent Ransom Group has, in some cases, sent an associate in person to a victim’s location to attach a storage device to the workstation and steal data locally. That escalation shows how adaptable the operation has become.
Why the campaign is hard to detect
A major reason these intrusions are so effective is that the attackers rely on legitimate tools rather than obvious malware. The FBI says the group has used utilities such as WinSCP and renamed or hidden versions of Rclone to move stolen data out of the network.
That approach matters because it blends into normal administrative activity. The FBI notes that these are “living-off-the-land” style techniques, meaning the attackers abuse trusted software and standard workflows instead of deploying noisy ransomware payloads. As a result, many security tools may not immediately flag the activity as malicious.
What the FBI and Google are warning about
The FBI’s law-firm alert lists several warning signs, including unsolicited calls from people claiming to be IT staff, suspicious downloads of remote monitoring tools, and WinSCP or Rclone connections to external IP addresses. It also highlights emails or voicemails from unknown parties claiming data was stolen and demanding a callback.
Publicly available search results in this roundup show strong FBI guidance, but they do not include a direct Google-issued advisory on this specific campaign. If you were referring to broader Google threat intelligence coverage, the most authoritative material provided here is still the FBI’s cyber alert and related security reporting.
Why law firms are especially exposed
Law firms are attractive targets because they store data that is both sensitive and time-sensitive. Client records, settlement information, merger details, discovery material, and internal communications can all create leverage for extortion if exposed.
The FBI says the group’s focus on legal organizations has been persistent enough to warrant a dedicated warning. That suggests attackers see law firms not just as another sector, but as a category where even a relatively small breach can create high pressure to pay.
Defensive steps firms are being told to take
The FBI recommends basic but high-impact defenses: multifactor authentication, strong passwords, antivirus tools, staff training, regular backups, and strict procedures for verifying anyone claiming to be IT support. It also urges firms to watch for unauthorized remote-access tools and unexplained visits by individuals asking to use a workstation.
Operationally, law firms should make it difficult for an attacker to succeed with a single phone call. Clear help-desk verification rules, limits on ad hoc remote support, and alerting on unusual use of remote management tools can reduce the chance that a convincing impersonation campaign turns into a data theft incident.
The bigger security lesson
The Silent Ransom Group campaign is a reminder that some of the most damaging cyberattacks do not begin with malware at all. They begin with a believable story, a phone call, and a moment of trust.
For legal organizations, that means cybersecurity is no longer just about blocking code execution or ransomware encryption. It is also about preventing attackers from talking their way inside.
Get All The Latest Updates Delivered Straight To Your Inbox For Free!