The FBI said on Tuesday that the Silent Ransom Group is targeting U.S.-based law firms in in-person data theft attacks, using phone calls, phishing emails and, in some cases, physical access to computers to steal data and extort victims.
KEY FACTS
- Attack method Actors pose as IT staff and push employees to start remote desktop sessions or call back for support.
- Physical access If remote access fails, a threat actor may go to the victim site and connect a USB drive or external hard drive.
- Warning signs The FBI cited unknown people claiming to be IT support and unauthorized external storage devices on company computers.
- Group history The gang has been active since at least 2022 and has targeted legal and financial organizations since early 2023.
In a FBI flash alert, the bureau said the group, also known as Luna Moth, Chatty Spider and UNC3753, uses social engineering to pose as an employee from the victim’s IT department. The report said the actors either call directly or send phishing emails to persuade employees to contact the fake support desk.
Once on the phone, the actors direct employees to grant access to a remote desktop session. If that fails, the group may send someone to the victim’s location to gain physical access and insert a storage device into the computer. The report said the data is then stolen through legitimate remote access tools or by direct connection to a USB drive or external hard drive.
Stolen information is used in ransom demands that threaten to sell or post the material on a leak site. The group also pressures employees or clients with follow-up calls while trying to force negotiations. The disclosure said the gang has targeted U.S. law firms in callback phishing and social engineering attacks for more than two years.
The same threat actors were previously linked to BazarCall campaigns that helped provide access to corporate networks in Conti and Ryuk ransomware attacks. After the Conti shutdown in March 2022, the group split off and formed Silent Ransom Group, which has focused on data theft and extortion rather than file encryption.
WHY IT MATTERS
The warning shows that extortion gangs can combine online social engineering with on-site intrusion to reach data even when remote access is blocked. It also gives companies specific signs to watch for, including unsolicited IT support claims and unauthorized storage devices.