"Legal services firms represent high-value targets for extortion actors. They maintain concentrated repositories of extremely sensitive client transaction files, merger and acquisition plans, client trade secrets, and corporate regulatory reports," Mandiant warned in its June report on the Silent Ransom Group.
How the group gains access: invoice emails, callback phishing, and fake IT help
Mandiant traces the campaign to a social engineering pattern that begins with invoice‑themed phishing emails sent from consumer email accounts. The messages themselves do not carry malicious links or attachments; instead they serve as a prompt for victims to call a phone number included in the message. This "callback phishing" or BazarCall‑style approach was previously used in Ryuk and Conti campaigns and is central to the Silent Ransom Group's current operations.
According to Mandiant and the FBI, attackers impersonate corporate IT help desks during follow-up voice calls and persuade employees to join remote support sessions via Microsoft Teams, Zoom, Quick Assist, or Microsoft Terminal Services. During those sessions the attackers instruct targets to install remote monitoring and management tools such as AnyDesk, Zoho Assist, Bomgar, or SuperOps, thereby gaining initial access to corporate networks.
Inside networks: what the attackers look for and how quickly extortion begins
Once inside, Mandiant reports the group searches for high‑value legal and financial documents — contracts, tax records, Social Security numbers, and merger or acquisition files — commonly focusing on document management platforms and cloud storage repositories. Data exfiltration is performed with tools such as WinSCP or Rclone.
The extortion operation is unusually aggressive on timing. Mandiant says ransom letters often arrive within 30 minutes of the attackers leaving the victim environment. These letters give organizations a three‑day deadline to respond and initiate negotiations; if the victim is unresponsive, the letters warn the group will call and email employees and external clients directly to announce the breach. The extortion text explicitly highlights potential regulatory fines, client trust damage, and possible lawsuits by external clients.
Infrastructure: fast‑flux hiding, the business-data-leaks[.]com site, and global proxies
A separate analysis by Resecurity tied the group’s leak platform to fast‑flux DNS infrastructure designed to frustrate takedowns. Resecurity reported the group's "business-data-leaks[.]com" leak site and related services use residential proxy networks distributed across Latin America, Eastern Europe, Central Asia, the Middle East, and Asia. The company said the infrastructure rotates IP addresses from a large pool of compromised devices and linked the setup to other cybercrime services and domains.
Operational history and in-person activity reported by the FBI
Mandiant links the Silent Ransom Group to the aliases UNC3753, Luna Moth, and Chatty Spider, and traces its activity back to at least 2022 when the actors were part of the Ryuk and Conti syndicate. Following Conti's shutdown in 2022, the group shifted from providing initial access for ransomware operations to running standalone data‑theft extortion campaigns under the Silent Ransom Group name. Mandiant says the group now focuses on stealing sensitive data rather than deploying traditional encryption ransomware.
The FBI's FLASH advisory expands the risk profile by warning of in‑person data theft. In those incidents, attackers impersonate IT staff over calls and emails then attempt to gain remote access or physically visit offices to "image" computers or create backups while copying files. Mandiant found limited forensic evidence of such in‑person visits but believes they are likely linked to the same actors based on similarities in targeting, timelines, and behavior.
What this means for law firms, security teams, and policymakers
- Law firms and professional services organizations: The attacks exploit normal IT support workflows and the high concentration of sensitive client materials in legal firms, increasing reputational and regulatory exposure. Firms are likely to face intense pressure to respond quickly to extortion demands and to decide whether to notify affected clients or regulators within short windows.
- Security teams and IT staff: Mandiant and the FBI recommend strict verification procedures for any IT support interaction, limiting and monitoring remote‑access tools, enforcing multi‑factor authentication, restricting USB storage, and training staff to recognize voice phishing. The tactical emphasis should be on blocking callback vectors and detecting rapid exfiltration tools like WinSCP and Rclone.
- Policymakers and regulators: The group’s rapid timelines and explicit threats to notify clients raise compliance and disclosure questions for regulated entities under deadlines for breach notification and client protection. The FBI advisory and Mandiant's technical detail together create a clearer enforcement and incident‑response picture for agencies overseeing legal and financial services.
The Silent Ransom Group campaign reported by Mandiant and the FBI is notable for its simplicity of social engineering, the speed with which stolen material is weaponized, and the technical measures used to conceal infrastructure. For organizations that store concentrated, sensitive client data, the calculus now includes not just technical hardening but tighter human‑process controls around any unsolicited IT support contact — and the need to be prepared for extortion demands that can arrive within an hour of compromise.
Source: BleepingComputer — Silent Ransom Group targets law firms with fake IT support calls
