Silent Ransom Group: FBI Reports Concentrated Attacks Against Law Firms

Illinois Cyber LiabilityIllinois Professional LiabilityLaw Firm Risk Management
Written By Rick Young

The Silent Ransom Group (SRG), also known as Luna Moth, Chatty Spider, and UNC3753, has emerged as a serious cyber threat to U.S.-based law firms. According to the FBI, SRG uses sophisticated social engineering tactics, including callback phishing emails and IT-themed phone calls, to gain remote access to devices, steal sensitive client data, and extort victims. While SRG has targeted multiple sectors, the legal industry is a prime focus due to the confidential nature of its work and the potential value of its data.

Silent Ransom Group’s Methods of Attacking Law Firms

SRG began operations in 2022, initially focusing on phishing emails designed to look like small subscription charge notifications. These emails encourage recipients to call a fake “customer service” line, where attackers then send links to remote access software. Once installed, this software gives the group direct entry into the victim’s systems.

Since March 2025, SRG has expanded to direct phone calls, posing as in-house IT staff. These calls often direct employees to initiate a remote access session through email or a provided website. Once connected, attackers work overnight to quietly extract data using tools like WinSCP or disguised versions of Rclone. SRG tends to use legitimate IT management tools such as Zoho Assist, AnyDesk, or Atera, making detection more challenging.

How Silent Ransom Group Uses Stolen Data Against Law Firms

Once the Silent Ransom Group gains unauthorized access to a law firm’s network, its primary objective is to identify and collect sensitive data quietly. This can include confidential client files, case strategies, financial records, and personal information belonging to clients or employees. After exfiltrating this information, SRG typically initiates an extortion phase by sending ransom emails to firm leadership. These emails threaten to sell the data on illicit marketplaces or release it publicly unless a payment is made, often in cryptocurrency.

The threats do not stop at email. SRG actors frequently escalate pressure through direct phone calls, during which they may reveal sample files to prove their claims. The group’s intimidation tactics are designed to create urgency and fear, pushing firms toward rapid payment without time to assess their options fully. SRG has also established a public leak site to name and shame victims. Although they do not always post stolen data there, the threat of reputational harm can be enough to compel some organizations to comply.

For law firms, the stakes are high. Data exposure could breach attorney-client privilege, violate ethical obligations, and lead to costly litigation or disciplinary action. Understanding SRG’s playbook is the first step toward preparing an effective defense.

Warning Signs of SRG Activity

One of the most challenging aspects of defending against Silent Ransom Group is their ability to operate with minimal traces on victim systems. They often gain entry through phishing attacks or compromised credentials, then deploy legitimate remote access tools to avoid triggering security alerts. According to the FBI, law firms should remain alert to several red flags that may indicate SRG activity.

These include sudden, unauthorized downloads of remote access software. Unexpected network traffic to unfamiliar external IP addresses, particularly through file transfer tools like WinSCP or Rclone, can also signal data exfiltration in progress. Firms may receive vague emails or calls from unnamed groups claiming data theft, or “subscription” messages that provide a phone number to call for canceling a charge.

Another common tactic is the unsolicited “IT department” call, where an impersonator pressures employees to grant remote access or share login credentials. These social engineering methods rely on catching staff off guard, making awareness and rapid internal reporting critical.

Prevention Strategies for Illinois Law Firms

Proactive defense is critical for reducing the risk of Silent Ransom Group incidents. While SRG’s tactics are designed to leave minimal traces, a layered prevention strategy can limit opportunities for compromise and make it harder for attackers to succeed. The following measures should be part of every Illinois law firm’s cybersecurity plan:

  • Training employees to recognize phishing emails and suspicious IT calls: Many SRG breaches begin with social engineering, where a convincing email or phone call tricks an employee into giving access. Regular training helps staff spot red flags and know the correct steps to report them.

  • Implementing strict protocols for authenticating internal IT communications: Cybercriminals often pose as the firm’s own IT staff. Require verification through a known channel before acting on any unexpected requests.

  • Enforcing multi-factor authentication for all accounts: Even if a password is compromised, MFA adds an extra layer of protection that can stop unauthorized access.

  • Maintaining regular offline backups of critical data: Backups disconnected from the network ensure that files can be restored without paying a ransom, even if active systems are compromised.

  • Monitoring for unauthorized remote access tool installations: SRG frequently uses programs like Zoho Assist, AnyDesk, and Splashtop to gain persistence. Detecting these quickly can prevent further damage.

For more comprehensive guidance on building a strong security foundation, see our article on Illinois Cybersecurity Best Practices for Law Firms in 2025. Combining those best practices with these SRG-specific defenses can help your firm protect client data, preserve operational continuity, and reduce liability.

Reporting and Response to Silent Ransom Group Attacks

If your firm suspects Silent Ransom Group activity, the FBI recommends immediate reporting to your local FBI field office. Include all available evidence, such as ransom notes, threat actor phone numbers, suspicious emails, remote access logs, and any unusual system activity. Providing this information quickly can help law enforcement connect your case to broader investigations and identify patterns that may disrupt SRG’s operations.

In addition to law enforcement, your first calls should be to your cyber insurance provider and legal counsel. For Illinois law firms insured by ISBA Mutual, this means notifying the claims department as soon as possible. Early involvement allows ISBA Mutual to connect you with specialized breach counsel, forensic investigators, and IT remediation resources that can help contain the threat, minimize damage, and preserve crucial evidence.

ISBA Mutual’s risk management team can also assist with client communications, regulatory reporting obligations, and post-incident reviews to strengthen your cybersecurity posture going forward. A coordinated response not only limits immediate losses but also positions your firm to better defend against future threats.

By acting quickly and leveraging both law enforcement and your insurance partner, your firm can significantly reduce the operational, reputational, and financial impact of a Silent Ransom Group attack. For further insights into our professional liability services for Illinois law firms, contact ISBA Mutual Insurance Company today.

Rick Young

As a Chicago-based digital marketing agency, Rizzo Young Marketing personalizes the experience for each of our clients. All of our efforts are carefully customized and proactively managed to ensure that you're receiving the most out of your budget. Whether you need a digital marketing expert to grow your brand or just someone to take care of everyday maintenance, we can help.

https://www.RizzoYoung.com/
Next

Illinois Cybersecurity Best Practices for Law Firms in 2025