A cybercriminal outfit known as the Silent Ransom Group is aggressively going after American law firms and professional services companies, using social engineering tricks that can result in stolen data within just a few hours of first contact, according to a fresh analysis from cybersecurity company Mandiant.
This new analysis builds on an FBI FLASH alert issued last week, which cautioned that the Silent Ransom Group had been going after U.S. law firms through social engineering schemes and even in-person data theft attempts. Mandiant’s report now sheds more light on the technical mechanics behind these breaches.
According to Mandiant, the hacking collective—identified by the names UNC3753, Luna Moth, and Chatty Spider—went after numerous organizations spanning the legal, financial, and professional services industries from January through May 2026.
Mandiant cautioned that law firms continue to be particularly appealing targets because they hold vast amounts of confidential client data and may feel compelled to settle extortion demands quickly to sidestep reputational harm and regulatory penalties.
“Law firms are prime targets for extortion groups. They keep tightly packed collections of highly confidential client deal documents, merger and acquisition strategies, proprietary client information, and corporate compliance filings,” Mandiant noted.
“Cybercriminals understand that legal organizations face significant reputational and regulatory risks and could be strongly inclined to settle extortion cases discreetly to safeguard their professional reputation.”
The analysts explain that the attacks kick off with phishing emails disguised as invoices, sent from everyday consumer email accounts. These messages don’t include harmful links or file attachments; instead, they set the stage for follow-up phone calls from the attackers posing as company IT personnel.
Using voice calls as an attack method has been a long-standing strategy for these hackers, who previously employed this approach in BazarCall social engineering operations connected to Ryuk and Conti ransomware incidents. Callback phishing involves attackers sending seemingly harmless phishing emails with urgent or IT-related hooks that encourage the recipient to phone them back at a provided number.
In the ongoing campaign, the Silent Ransom Group poses as IT support desks and persuades staff members to participate in remote assistance sessions through platforms like Microsoft Teams, Zoom, Quick Assist, or Microsoft Terminal Services.
Throughout these sessions, the hackers deceive the victim into setting up remote monitoring and management software such as AnyDesk, Zoho Assist, Bomgar, or SuperOps, which gives them a foothold into the company’s network.
Mandiant also uncovered phishing websites connected to the campaign that mimic internal IT portals, using naming conventions like:
-itdesk[.]com
-it[.]com
-helpdesk[.]com The analysts note that the hackers also leverage privnote[.]com, a self-destructing messaging platform, to pass along installation links and instructions to victims during remote support sessions. Mandiant says this approach helps minimize digital traces left behind in web browsing histories or company chat records.
After gaining access to a network, the group hunts for confidential legal and financial records, such as agreements, tax documents, Social Security numbers, and merger or acquisition materials. The attackers frequently go after document management systems and cloud storage services before siphoning off the data using utilities like WinSCP or Rclone.
Mandiant reports that the extortion scheme is remarkably fast-paced, with ransom notes frequently showing up within 30 minutes of the hackers departing the victim’s systems.
“These highly aggressive extortion notices give companies a three-day window to reply and begin ransom discussions. If the targeted organization doesn’t respond, the hackers announce they will reach out to the company’s employees and outside clients directly to inform them of the data breach,” Mandiant stated.
“The extortion messages specifically stress that the data leak will erode client confidence, trigger major regulatory penalties, and hint that outside clients might take legal action against the victim organization for mishandling their data.”
The analysis also points to the FBI’s recent alert, in which authorities cautioned that the Silent Ransom Group had been going after U.S. law firms with in-person data theft attempts.
Per the FBI, the hackers pose as internal IT personnel over phone calls and emails, then try to obtain remote access or show up at offices in person to “image” computers or make backups while covertly pilfering files.
While Mandiant noted there was scarce forensic proof, the analysts suspect these in-person attacks are probably connected to UNC3753, given the parallels in victim selection, timing, and operational tactics.
The Silent Ransom Group has been operating since at least 2022, when it was affiliated with the Ryuk and Conti cybercrime network.
As BleepingComputer previously covered, the hackers were earlier tied to BazarCall callback phishing operations that served as the entry point for Conti and Ryuk ransomware incidents.
Following the Conti network’s dissolution in 2022, the group transitioned to independent data theft and extortion activities under the Silent Ransom Group name.
Analysts say the group has moved away from conventional ransomware encryption and now concentrates solely on data-theft extortion, where they pilfer confidential information and coerce victims into paying to keep the data from being exposed.
A separate analysis published this week by Resecurity revealed that the gang is also running fast-flux infrastructure to conceal and shield its data-leak websites.
DNS fast flux is a technique where hackers continuously cycle a domain’s IP addresses through a broad network of compromised machines to mask their infrastructure and complicate takedown or blocking efforts.
Per the company, the infrastructure relies on residential IP addresses spanning numerous countries and internet service providers to make shutdowns harder to execute.
Resecurity stated that the group’s “business-data-leaks[.]com” leak portal and associated infrastructure depend on residential proxy networks distributed across Latin America, Eastern Europe, Central Asia, the Middle East, and Asia. The analysts also connected the infrastructure to other cybercrime-linked services and domains.
To protect against these attacks, both Mandiant and the FBI advise putting in place rigorous verification processes for IT support interactions, restricting remote access software, mandating multi-factor authentication, limiting USB storage devices, and educating staff to spot voice phishing schemes.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
Get the whitepaper
div>
