FBI warns criminals impersonating IT support to breach law firms

The FBI has issued a new FLASH alert warning that the Silent Ransom Group (SRG) is impersonating internal IT personnel to infiltrate organizations, steal private data and extort victims without using the traditional ransomware encryption.

The threat actors, also tracked as Luna Moth, Chatty Spider and UNC3753, have targeted US-based law firms heavily since 2023. However, the FBI says the group has also targeted organizations in healthcare, finance and insurance with the help of complex social engineering operations.

Unlike other known ransomware gangs that lock files and demand payment for decryption keys, SRG actors are more interested in rapid access, data theft and extortion threats tied to public leaks or sales of stolen information.

Key takeaways

The Silent Ransom Group impersonates internal IT support staff.

Attackers use phishing emails and phone calls to trick employees into granting remote access.

Some attacks involve individuals physically visiting company offices.

SRG actors steal data instead of encrypting systems.

The FBI says law firms remain a primary target.

Legitimate remote administration tools help attackers evade antivirus detection.

The group threatens victims with public exposure of stolen information.

Who is the Silent Ransom Group?

The Silent Ransom Group, operating since at least 2022, differs from many ransomware operations by often skipping encryption entirely. Instead, attackers focus on stealing sensitive information and pressuring victims into paying extortion demands.

The FBI says the group has consistently targeted law firms since Spring 2023 because legal organizations store highly sensitive client data, contracts, litigation materials and confidential communications.

How the attacks work

The latest SRG campaign relies heavily on social engineering instead of malware exploits.

According to the FBI, attackers either call employees directly or send phishing emails that instruct victims to contact fake IT support representatives. Once communication begins, the threat actors persuade employees to install remote access software or grant remote desktop permissions.

In some cases, attackers escalate the operation by physically visiting company offices.

The FBI says individuals linked to SRG may appear in person and claim they need to image a device or create a backup because of a supposed phishing-related issue. The attackers then connect USB drives or external storage devices to exfiltrate sensitive data directly from victim systems.

“Once the threat actor obtains access to the victim’s device, they minimally escalate privileges and quickly pivot to data exfiltration without encryption. SRG actors use WinSCP (Windows Secure Copy) or a hidden or renamed version of “Rclone” to exfiltrate data. SRG actors also exfiltrate data to internal filesharing platforms such as Google Drive or Microsoft OneDrive,” the FBI FLASH advisory explains.

Why law firms are being targeted

Law firms hold large amounts of confidential information tied to litigation, mergers, contracts, intellectual property and client communications.

Instead of disrupting operations with encryption, SRG actors threaten to publish or sell stolen information online. The FBI says the group operates a leak site named business-data-leaks[.]com where stolen victim information may appear.

Attackers also reportedly pressure victims by contacting employees or even clients directly to intensify negotiations.

Moreover, this latest advisory comes almost one year to the day after the previous one regarding the same attacker. Evidently, this is a problem that’s not going away.

Indicators of compromise

The FBI identified several warning signs organizations should monitor closely.

Indicator	Why it matters
Unexpected remote access software installations	Unauthorized downloads or installations of remote administration tools may indicate an attempted intrusion.
Suspicious USB or external drive activity	Unexpected external storage device connections on sensitive systems could signal data exfiltration.
Unusual cloud storage transfers	Exfiltration to OneDrive, Google Drive, or external servers may indicate movement of stolen data.
Calls from fake IT support staff	Employees should treat unsolicited calls from individuals claiming to work in IT as suspicious until verified.
Extortion emails or phone calls	Victims may receive messages claiming data was stolen or threatening public disclosure.

FBI recommendations for organizations

The FBI urges organizations to strengthen social engineering defenses and identity verification procedures.

Verifying the identity of all individuals accessing company premises
Training employees to recognize phishing and impersonation attacks
Limiting access to sensitive data from insecure networks
Requiring phishing-resistant multi-factor authentication
Maintaining regular backups
Restricting remote access permissions
Blocking port 22 when operationally feasible
Limiting external drive installation permissions on sensitive systems

FAQ

What is the Silent Ransom Group?

Answer: The Silent Ransom Group is a cybercrime operation that steals sensitive data and extorts victims instead of relying primarily on ransomware encryption.

Why are law firms being targeted?

Answer: Law firms store highly sensitive legal and client information that attackers can use for extortion and public leak threats.

Does SRG use malware?

Answer: The group often relies on legitimate remote administration tools and social engineering instead of traditional malware.

How do attackers impersonate IT staff?

Answer: Attackers send phishing emails or make phone calls pretending to be internal IT personnel and convince employees to grant remote access.

What should employees do if someone claiming to be IT contacts them unexpectedly?

Answer: Employees should independently verify the person’s identity through official internal channels before granting access or installing software.