US law firms are under increasing threat from the Silent Ransom Group (SRG), a stealthy cyber extortion gang that’s ramping up its attacks on the legal sector. In a recent alert, the FBI urged law firms to be on high alert, noting that SRG—also known as Chatty Spider, Luna Moth, and UNC3753—has shifted tactics in ways that make detection even harder.
Since emerging in 2022, SRG has relied on callback phishing schemes to lure unsuspecting employees. Typically, the group sends emails impersonating legitimate companies and claims that the recipient has been charged a small subscription fee. The emails then instruct the target to call a support number to cancel the charge—where the real attack begins.
Once the victim makes the call, SRG sends a link to install remote access software. That’s the moment the attackers gain entry to corporate systems. They quietly extract sensitive files and then demand ransom, threatening to expose the data if payment isn’t made.
But now, the game has changed. As of March 2025, the FBI says SRG has dropped email as the first point of contact. Instead, the group now starts with a phone call—posing as internal IT staff. They direct employees to either click an emailed link or visit a specific website to initiate a remote session.
Once inside, the attackers don’t act immediately. They typically tell the employee that maintenance will happen overnight. During that quiet window, they escalate their access privileges and begin siphoning off valuable data using tools like WinSCP and Rclone.
Then comes the ransom email. SRG threatens to leak the stolen data and sometimes follows up with direct phone calls to pressure law firm staff. While they host a leak site to publish stolen files, the updates are sporadic.
Although law firms are the primary targets, SRG has also hit healthcare and insurance organizations. What makes these attacks especially dangerous is their invisibility—SRG often uses legitimate remote access tools that don’t raise red flags in antivirus software. This means few traces are left behind.
The FBI advises defenders to stay vigilant for certain signs: unusual downloads of remote tools, unexpected WinSCP or Rclone activity, emails about subscription charges, unsolicited phone calls pretending to be IT, or any ransom-related communications.
To strengthen defenses, firms should:
- Train employees to spot phishing and social engineering
- Establish strict verification protocols for IT support
- Regularly back up all data
- Enforce multi-factor authentication across the board
Victims are also encouraged to report any incidents. The FBI is collecting evidence, including ransom messages, phone numbers, voicemails, cryptocurrency wallets, and phishing email metadata.
With SRG becoming more aggressive and elusive, law firms must act fast to protect their data, staff, and clients.
