“The shift in attack strategy says a lot about where extortion is heading,” Nick Tausek, Lead Security Automation Architect at Swimlane, warned — a succinct diagnosis of a technique the FBI now says is being used to target law firms and other professional sectors.
Silent Ransom Group (SRG): aliases and timeline
The FBI has warned that a group known as Silent Ransom Group (SRG) has been active since at least 2022, engaging in data theft and extortion without relying on traditional ransomware encryption. The group may also be known by the names Luna Moth, Chatty Spider, and UNC3753. Unlike many ransomware operators that encrypt systems and demand payment, SRG emphasizes rapid access and immediate exfiltration of data.
Techniques: impersonation, remote access, and in-person compromise
The FBI bulletin describes social engineering as central to SRG’s operations. The malicious actors impersonate IT support and use phishing emails and phone calls to establish contact. When successful, the actors leverage legitimate remote access tools to walk an employee through granting access; in some cases, the attackers have reportedly sent an individual to a company location to obtain physical access to a computer. The combination of impersonation and legitimate administrative tooling is a deliberate tactic to blend illicit activity into routine IT workflows.
Targets: law firms, healthcare, insurance, and finance
SRG has targeted entities across multiple sectors, including healthcare, insurance, and finance, but U.S. law firms have been consistently singled out since 2023. The FBI’s advisory highlights law firms as a repeated focus for the group’s social-engineering campaigns and rapid exfiltration operations.
Detection challenges and security tradecraft
Security practitioners cited in the advisory emphasize why SRG’s approach is difficult to spot. Tausek notes that the attackers “lean[] into trust by posing as IT support, walking employees through remote access, then moving quickly to steal data before anyone realizes something is wrong.” He adds that “legitimate tools do not always trigger alarms,” and that defenders need “faster ways to connect unusual behavior across users, devices, cloud storage, and remote access sessions.” The bulletin thus frames the problem as one of speed and signal: when attackers use authorized channels and act quickly, conventional alerts can arrive too late.
What this means for security teams, law firms, and clients
- Security teams: The FBI and Tausek’s commentary both point to the need for detection that correlates activity across endpoints, cloud storage, and remote sessions — and for processes that can validate remote access requests that may appear legitimate on their face.
- Law firms and affected enterprises: The advisory underscores the sensitivity of data held in legal environments — client records, privileged communications, financial details, and case information — and the particular damage that data theft can cause when exfiltrated rather than encrypted.
- Clients and employees: The bulletin flags downstream harms if data is stolen: clients can be pressured, legal strategies exposed, and employees can become targets for follow-up scams.
The FBI’s warning and the observations from Swimlane converge on a single operational fact: SRG’s calculus relies on trust and speed, not on locking systems with ransomware. That shift reframes detection priorities — from identifying malicious binaries to spotting anomalous use of trusted access — and leaves a practical question for defenders: can monitoring and verification practices be adapted quickly enough to catch intrusions that hide in plain sight?




