FBI Flash Report TLP Clear: Silent Ransom Group Impersonating IT Personnel through Social Engineering

Summary 

The Silent Ransom Group (SRG), also known as Luna Moth, Chatty Spider, and UNC3753, is targeting law firms using social engineering techniques. Through phone calls and phishing emails, SRG actors pose as IT support to establish access to victim computers and exfiltrate data, usually through legitimate remote access tools or by sending an individual in-person to the victim company’s location to gain physical access to computers. While SRG has victimized companies in many sectors including those in the insurance, finance, and healthcare industries, the group has consistently targeted US-based law firms since Spring 2023.

Threat

SRG actors—active since at least 2022—conduct data theft and extortion operations without relying on traditional ransomware encryption. Unlike conventional ransomware actors, SRG actors typically seek rapid access to victim systems, immediate data exfiltration, and extortion through threats of public disclosure or sale of stolen data.
Historically, SRG actors sent phishing emails purportedly to charge small “subscription fees” to gain access to victim networks. To cancel the fake subscription, the victim was instructed to call the threat actor, who then emailed the victim a link to download remote access software.

As of Spring 2026, SRG actors use a social engineering scheme to pose as an employee from the victim’s IT department. SRG actors either directly call or send phishing emails to urge employees to call the SRG actor posing as IT support. While on the phone, the SRG actor directs the employee to grant access to a remote desktop session. If that attempt fails, SRG sends a threat actor to the victim’s location to gain access to insert a storage device into the victim’s computer. In this scheme, the threat actor tells the victim they need to image the device or create a backup file to address potential impacts from the phishing email.

Once the threat actor obtains access to the victim’s device, they minimally escalate privileges and quickly pivot to data exfiltration without encryption. SRG actors use WinSCP (Windows Secure Copy) or a hidden or renamed version of “Rclone” to exfiltrate data. SRG actors also exfiltrate data to internal filesharing platforms such as Google Drive or Microsoft OneDrive. By sending someone in-person to the victim’s location to facilitate the intrusion, SRG actors exfiltrate data to an external hard drive or USB drive inserted by the threat actor into the victim’s computer. SRG actors use the exfiltrated victim data to extort the victim by sending a ransom email threatening to sell or post the data online. SRG actors also call employees or clients of a victim company to pressure the victim to begin ransom negotiations. SRG actors have a public-facing website, business-data-leaks[.]com, where they post victim data.

View the detailed report below.