Skip to content

Silent Ransom Group Targets Law Firms with Sophisticated Social Engineering Attacks

The Silent Ransom Group, a highly aggressive extortion gang, has been actively targeting U.S. law firms and professional services organizations in social engineering attacks that often lead to data theft within hours of initial contact.

According to a new report by cybersecurity firm Mandiant, the threat group, tracked as UNC3753, Luna Moth, and Chatty Spider, targeted dozens of organizations across the legal, financial, and professional services sectors between January and May 2026.

Mandiant warns that law firms remain especially attractive targets because they store large volumes of highly sensitive client information and may feel pressured to resolve extortion incidents to avoid reputational and regulatory damage. “Legal services firms represent high-value targets for extortion actors,” explains Mandiant. “They maintain concentrated repositories of extremely sensitive client transaction files, merger and acquisition plans, client trade secrets, and corporate regulatory reports.”

The attacks begin with invoice-themed phishing emails from consumer email accounts that do not contain malicious links or attachments but serve as a precursor for follow-up phone calls from attackers impersonating corporate IT staff. These callback phishing attacks prompt the recipient to call them back at an enclosed phone number.

During these sessions, the threat actors trick the target into installing remote monitoring and management tools such as AnyDesk, Zoho Assist, Bomgar, or SuperOps, thereby granting them initial access to the corporate network. Mandiant also discovered phishing domains tied to the campaign that impersonate internal IT portals using naming patterns such as “[companyname]-it-support[.]com”.

Once inside a network, the group searches for sensitive legal and financial documents, including contracts, tax records, Social Security numbers, and merger or acquisition files. The attackers commonly target document management platforms and cloud storage repositories before exfiltrating the data using tools such as WinSCP or Rclone.

Mandiant notes that the extortion operation is highly aggressive, with ransom demands often arriving within 30 minutes of the attackers leaving the victim environment. If the victim organization is unresponsive, the threat actors declare they will call and email target employees and external clients directly to alert them of the data breach.

The FBI has also warned about the Silent Ransom Group’s in-person data theft attacks, where attackers impersonate internal IT staff over phone calls and emails, then attempt to gain remote access or physically visit offices to “image” computers or create backups while secretly stealing files. While Mandiant said there was limited forensic evidence, the researchers believe these in-person attacks are likely linked to UNC3753 based on similarities in targeting, timelines, and operational behavior.

To defend against the attacks, both Mandiant and the FBI recommend implementing strict security measures, including monitoring for suspicious emails, verifying phone calls from IT staff, and regularly updating software and systems. Additionally, organizations should educate employees about the risks of callback phishing and remote support scams.

Source: Original article

Leave a Reply

Your email address will not be published. Required fields are marked *