The Federal Bureau of Investigation (FBI) has issued a fresh warning regarding the Silent Ransom Group (SRG)—an extortion-focused cybercrime gang that has been actively targeting U.S. law firms and financial institutions over the past two years. The group, also known as Luna Moth, Chatty Spider, and UNC3753, originated from the now-defunct Conti ransomware syndicate and has evolved into a standalone threat actor specializing in data theft and extortion.
According to the FBI, SRG has refined its tactics to avoid detection and maximize psychological manipulation. Their primary method involves callback phishing and social engineering, where attackers pose as IT support personnel through emails, fake websites, and phone calls, convincing employees to grant remote access to their systems.
Once access is secured, attackers do not encrypt the victim’s systems—a strategy that distinguishes them from traditional ransomware groups. Instead, they exfiltrate sensitive data using tools like Rclone and WinSCP, then demand ransom payments ranging from $1 million to $8 million in exchange for not leaking the stolen data.
Phishing Calls and Remote Access: Inside SRG’s Playbook
The FBI’s private industry notification released on Friday reveals how SRG operators impersonate internal IT support staff to gain victims’ trust. After an initial phishing email, victims are directed to call a fake IT number, where cybercriminals posing as technicians instruct them to install remote monitoring and management (RMM) tools. These tools are delivered via typosquatted domains, cleverly designed to mimic the real IT portals of well-known law firms and financial firms.
Once installed, SRG actors gain hands-on keyboard access and begin searching for valuable legal documents, financial records, and client data. The stolen information is then transferred out of the network using secure transfer tools like Rclone or WinSCP—usually disguised or renamed to evade detection.
After data exfiltration, SRG initiates extortion attempts via email, threatening to publish or sell the stolen data unless the ransom is paid. In some cases, SRG members follow up with phone calls to employees of compromised organizations, adding pressure and psychological intimidation to force negotiations.
Despite maintaining a dedicated data leak website, the FBI notes that the group does not always follow through on its threats, which adds another layer of unpredictability to their extortion campaigns.
ALSO READ: FCRF Launches Campus Ambassador Program to Empower India’s Next-Gen Cyber Defenders
U.S. Legal and Financial Sectors in Crosshairs; FBI Issues Preventive Measures
According to a detailed report by threat intelligence firm EclecticIQ, SRG has ramped up its attacks over the past year, primarily targeting law firms and financial service providers. The attackers reportedly register spoofed domains to resemble official helpdesk portals, exploiting small spelling changes in URLs to trick employees into initiating contact.
Victims receive emails falsely claiming urgent IT issues—such as compromised accounts or expired software—along with callback phone numbers. Once engaged, the threat actors exploit these conversations to deploy RMM software, opening a pathway for further exploitation.
To defend against these advanced threats, the FBI has recommended several key steps:
-
Use strong, unique passwords
-
Enable multi-factor authentication (MFA)
-
Educate staff through phishing simulations and awareness training
-
Conduct regular data backups and system audits
The agency also urged organizations to monitor for unauthorized remote access tools, regularly scan for unusual outbound data flows, and report any suspected phishing or social engineering attacks to authorities.
As cybercriminals continue to shift away from traditional encryption-based ransomware to low-profile data theft and extortion operations, experts warn that legal, financial, and healthcare sectors remain prime targets due to the high value of their confidential data.
