The FBI has issued a critical warning about a rising cyber threat posed by the Silent Ransom Group (SRG), a sophisticated criminal organization targeting law firms and other businesses through fake IT support calls.
Also known as Luna Moth, Chatty Spider, and UNC3753, the group has been active since 2022 and is known for its use of advanced social engineering to compromise systems and steal sensitive data.
From Email Scams to Direct Phone Attacks
SRG first gained attention for its phishing campaigns, which posed as subscription service notifications. Victims were tricked into calling a fake customer support number, where they were told to install remote access software.
According to the FBI’s Internet Crime Complaint Center (IC3), the group shifted tactics in March 2025. Instead of waiting for victims to call them, SRG began proactively calling employees, pretending to be IT staff from the victim’s own company.
Once they establish trust, attackers instruct victims to install legitimate remote access tools under the guise of routine maintenance, creating a covert entry point for system compromise.
Law Firms and Sensitive Industries Targeted
Law firms have become a primary target due to the high value of legal data, including client records, case materials, and privileged communications. The FBI notes that SRG also targets medical and insurance companies—industries with rich stores of confidential data.
By exploiting the trusted relationship between employees and IT departments, SRG bypasses many traditional security controls, making their attacks especially dangerous.
Technical Strategy: Remote Access and Data Theft
Once attackers gain access, they use remote access tools such as Zoho Assist, Syncro, AnyDesk, Splashtop, and Atera to maintain control. Victims are often told maintenance will occur overnight, giving attackers a time window to operate undetected.
SRG focuses on quick data theft rather than extended system manipulation. They use tools like WinSCP and Rclone—often in hidden configurations—to copy data either to external servers or cloud storage platforms.
Security analysts say the group is skilled at leaving few forensic traces, making post-attack investigation and attribution extremely difficult for defenders.
FBI Recommendations
The FBI urges organizations to train employees to verify the identity of anyone claiming to be IT support. Staff should be cautious about downloading remote tools at the request of unknown individuals, even if the caller appears to be internal.
Organizations are also advised to monitor for unusual remote access activity, especially during non-business hours, and to enforce strong endpoint protection and logging practices.
