- Person Name: Scott Davis
Scott Davis
"You can't protect what you don't know"
The FBI has issued a public cybersecurity bulletin warning that a sophisticated cybercrime group known as the Silent Ransom Group (SRG)—also referred to as Luna Moth, Chatty Spider, and UNC3753—is actively targeting law firms across the United States. This threat actor, operating since at least 2022, has expanded its focus in recent months to specifically victimize legal organizations due to the sensitive nature of the data they manage.
SRG’s method of attack diverges from traditional ransomware models. Instead of encrypting files, the group uses social engineering tactics to gain remote access to systems and exfiltrate data, which it then uses as leverage in extortion campaigns. The FBI notes that the group has become known for its use of phishing emails disguised as subscription service notifications. These emails typically claim that a small subscription charge is pending and instruct the recipient to call a phone number to cancel. During that call, the victim is directed to install legitimate remote access tools—such as Zoho Assist, AnyDesk, or Splashtop—which unknowingly provide attackers with access to their device.
In a concerning shift in tactics observed as of March 2025, SRG has begun impersonating internal IT staff via unsolicited phone calls. The attackers tell employees that IT work needs to be done and direct them to grant remote access to their devices. Once inside, SRG quickly moves to exfiltrate data using tools like WinSCP or Rclone—often without escalating privileges, allowing the attack to proceed unnoticed by antivirus or endpoint detection systems. After extracting sensitive files, SRG contacts the victim organization with ransom demands, threatening to leak or sell the data unless payment is made.
While law firms are currently the primary target, the FBI reports that organizations in the healthcare and insurance sectors have also been affected. Despite claiming to have a public site for posting stolen data, SRG has been inconsistent in actually following through, possibly as a pressure tactic during negotiations.
The FBI emphasizes that SRG’s attacks often leave minimal traces, making them difficult to detect using traditional security tools. Network defenders are advised to monitor for signs such as unauthorized downloads of remote access tools, unexpected outbound data transfers using WinSCP or Rclone, and any suspicious IT-related communications with employees.
To mitigate the risk, the FBI recommends a series of basic but critical steps: implement robust phishing awareness training, enforce multifactor authentication across all systems, maintain clear internal protocols for IT support communications, and ensure regular, secure data backups. Organizations are also encouraged to share any legally permissible information about incidents involving SRG with their local FBI Cyber Squad, including ransom notes, phishing emails, attacker phone numbers, and cryptocurrency wallet details.
This alert serves as a critical reminder for Pennsylvania’s legal and business communities to remain vigilant. The Cybersecurity Association of Pennsylvania continues to monitor developments and urges all members to ensure their systems and staff are prepared to respond to evolving threats like SRG. More information, along with FBI field office contacts, can be found at www.fbi.gov/contact-us/field-offices.
Scott Davis
"You can't protect what you don't know"