The Silent Ransom Group is targeting U.S. law firms and professional services firms in social engineering attacks that can lead to data theft within hours of first contact, according to a technical analysis by Mandiant. The group targeted dozens of organizations in the legal, financial and professional services sectors between January and May 2026.
KEY FACTS
- Targeting Law firms are a high-value focus because they hold sensitive client and regulatory data.
- Initial lure Attackers send invoice-themed phishing emails from consumer accounts.
- Access method The group poses as IT staff and pushes victims into remote support sessions.
- Data theft Once inside, the attackers search for contracts, tax records, Social Security numbers and merger files.
The emails do not carry malicious links or attachments. Instead, they are used to set up follow-up phone calls in which attackers try to convince employees to install remote support software such as AnyDesk, Zoho Assist, Bomgar or SuperOps.
During those sessions, the threat actors also use self-destructing messaging service privnote.com to share installation links and commands. Mandiant said the tactic can reduce browser history and chat log artifacts.
The report said ransom demands often arrive within 30 minutes of the attackers leaving the victim environment. The letters give organizations three days to respond and threaten to contact employees and clients directly if they do not negotiate.
The FBI recently warned that the same group was also using in-person data theft tactics against U.S. law firms. In those cases, attackers impersonate internal IT staff by phone and email and may try to image computers or remove files from offices.
WHY IT MATTERS
The campaign shows how quickly social engineering can lead to major data theft without malware encryption. It also underscores the need for strict verification of IT support requests, limits on remote access tools, and employee training on voice phishing.