The cyber threat actor Silent Ransom Group (SRG) also known as Luna Moth, Chatty Spider, and UNC3753 is aggressively targeting U.S. law firms with IT-themed social engineering and callback phishing emails to gain remote access to systems, exfiltrate sensitive data, and demand ransom payments. The threat’s escalation in early 2025 has alarmed security professionals due to its stealth, human-centric techniques, and the high-value nature of legal data.
SRG has been active since at least 2022, according to multiple FBI reports and private-sector threat intelligence sources. Initially, SRG leveraged callback phishing emails that mimicked subscription cancellation requests from legitimate-looking vendors. Victims were prompted to call a fake support line ultimately leading to the installation of remote access tools (RATs) like Zoho Assist, AnyDesk, or Atera.
But since March 2025, SRG began a more aggressive social engineering strategy: direct phone calls to employees, impersonating internal IT support staff. Victims were instructed to join remote sessions under the guise of maintenance granting attackers near-invisible access to their devices.
Once inside, SRG wastes no time on privilege escalation. Instead, they focus on data exfiltration using tools like WinSCP and Rclone, often camouflaged under different names or used in portable form to bypass administrative barriers.
“This is a chilling reminder that cyberattacks don’t need malware to be effective—just a convincing voice and a clever script,” said Rachel Amani, Director of Threat Intelligence at Middle East-based firm CyberSecure Gulf.
Why Law Firms? Why Now?
SRG appears to be targeting law firms intentionally, likely due to the high sensitivity of legal data ranging from intellectual property to financial disclosures and case strategy documents. These targets are often more susceptible to urgent-sounding social engineering and less protected than other critical infrastructure sectors.
According to the FBI bulletin issued in May 2025, law firms are now the primary victim group, although medical and insurance companies are also on SRG’s radar. The group’s naming of their extortion site (which intermittently leaks victim data) underscores their intent to amplify reputational pressure and force negotiations.
MEA and Global Implications
While most observed attacks have focused on the United States, experts warn that law firms and legal consultancies in the Middle East and Africa (MEA) should not assume immunity.
Countries in the Gulf Cooperation Council (GCC) and North Africa, increasingly digitizing legal systems and court filings, could become attractive targets. Under laws like Saudi Arabia’s Essential Cybersecurity Controls (ECC) or South Africa’s POPIA, breaches of client data could trigger steep penalties or litigation risks.
“Given the sensitivity of legal data in litigation-heavy environments like Dubai or Riyadh, this group poses a serious compliance threat,” said Dr. Ahmed El Gohary, Professor of Cybersecurity Policy at the University of Cairo.
In Europe, the attacks echo similar past campaigns tied to BazarCall and Conti spin-offs, showing how ransomware actors have shifted to malware-free, human-driven compromise paths.
MITRE ATT&CK Techniques and Indicators
MITRE ATT&CK Mapping:
- Initial Access: T1566.001 (Phishing: Spearphishing via Email)
- Execution: T1059 (Command and Scripting Interpreter)
- Persistence: T1133 (External Remote Services)
- Exfiltration: T1048.002 (Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol)
Indicators of Compromise (IOCs):
- Use of remote access tools: Zoho Assist, AnyDesk, Atera, Splashtop, Syncro
- Legitimate file transfer tools: WinSCP, Rclone (including portable versions)
- Callback phishing emails citing subscription charges
- Phone calls or voicemails claiming stolen data
- Extortion threats using anonymous group aliases
10 Key Takeaways
- Human-Centric Attack: Silent Ransom Group (SRG) relies on social engineering—especially impersonating IT personnel—rather than malware, making detection harder.
- Callback Phishing Evolution: What started as fake cancellation emails evolved into voice-based impersonation of support teams for remote access.
- Legal Sector in Crosshairs: Law firms are ideal targets due to the volume and sensitivity of their data, making them highly vulnerable and more likely to pay ransoms.
- No Malware Needed: SRG’s attacks are often malware-free, focusing on user manipulation and portable tools, evading many traditional detection systems.
- Rapid Data Exfiltration: Once inside, SRG skips privilege escalation and immediately transfers sensitive files using tools like WinSCP and Rclone.
- Reputational Leverage: Victim data leaks are used as pressure tactics on extortion sites, putting law firms at risk of public shaming and loss of client trust.
- Global Relevance: While U.S.-based firms are most affected, legal entities in the MEA region should prepare for possible targeting.
- Compliance Exposure: Breaches in regulated jurisdictions (e.g., GCC, South Africa) could lead to fines, lawsuits, and compliance failures.
- Ties to Past Campaigns: SRG’s playbook resembles earlier tactics from BazarCall and Conti offshoots, indicating shared methods or personnel.
- Proactive Defense Needed: Firms must train staff on voice phishing, use conditional access controls, and closely monitor third-party support tools.
Conclusion
The Silent Ransom Group’s shift toward socially engineered, malware-free extortion campaigns highlights the growing sophistication of cyber threats facing law firms and legal service providers. As attackers exploit trust and urgency rather than technical exploits, the line between cybersecurity and employee awareness continues to blur.
Law firms especially those operating in sensitive legal, financial, or geopolitical domains must adapt quickly. This includes strengthening verification protocols for IT requests, monitoring outbound data flows, and educating employees on the hallmarks of social engineering attacks.
The legal sector must recognize that cybersecurity is no longer just an IT issue it’s a matter of client trust, regulatory compliance, and business continuity. As SRG and similar groups evolve, only a proactive, people-aware defense strategy will suffice.
