Silent Ransom Group Targets Law Firms with Evasive Tactics
Resecurity, a threat intelligence organization, has released findings on the illicit activities of the Silent Ransom Group (SRG), a cyber extortion network operational since 2022. This group is notable for its sophisticated schemes aimed at retaining their data leak websites and avoiding law enforcement scrutiny.
The investigation reveals that SRG employs a technique known as “fast flux.” This method links their online platforms to a constantly changing network of residential internet connections across 18 countries, including Mexico, Brazil, Argentina, and South Korea. The rapid rotations of IP addresses complicate efforts by internet service providers to dismantle their operational infrastructure, reinforcing their anonymity.
The fast flux technique has garnered significant attention from global agencies. An advisory from various institutions, including the NSA, CISA, and FBI, previously identified this tactic as a national security concern, frequently exploited by both cybercriminals and state-sponsored actors to obscure malicious servers.
Researchers indicate that SRG notably concentrates its efforts on high-profile law firms. These firms are tempting targets because they manage sensitive client data related to ongoing legal disputes and intellectual property matters. By leveraging the urgency of protecting reputations and legal standings, hackers often anticipate that these firms will acquiesce to ransom demands swiftly. In the initial quarter of 2026, law firms accounted for nearly 25 percent of documented hacking incidents.
Unlike traditional ransomware operations that encrypt files, SRG solely focuses on data exfiltration and extortion. They threaten to publicly release sensitive information through a domain known as business-data-leaks.com if their demands go unmet. The group previously operated under the moniker LeakedData until December 2024, which remains visible in their ongoing activities.
In terms of infiltration strategies, SRG employs a variety of deceptive techniques. Common methods include vishing, where they impersonate IT support over the phone to manipulate employees into granting system access, or dispatching operatives to law offices under the guise of technical assistance. Recent findings indicate that at least 38 law firms have suffered data breaches attributable to these tactics.
Previous reports highlighted SRG’s transition in focus from targeting casino vendors to law firms, marked by their use of callback phishing techniques to persuade victims into installing remote access software. Resecurity’s exclusive research outlines the group’s dependency on consumer-grade internet service providers rather than dedicated data centers, underscoring the professional-grade sophistication of their operations. The analysis reveals operations spanning 24 unique IP addresses across diverse ISPs, indicative of a botnet that utilizes compromised residential devices.
An ongoing initiative associated with SRG, dubbed Spy Corporate, reportedly launched in May 2026, utilizes the same compromised residential routers to operate additional leak sites.
SRG’s sustained activities underscore the considerable risk they pose to legal organizations. Their methods not only involve data theft but also encompass the creation of complex infrastructures that are difficult to dismantle. Furthermore, they employ social engineering tactics to engage directly with employees, exploiting vulnerabilities in security protocols to access confidential client records.
To mitigate these threats, law firms are urged to adopt more stringent verification procedures for support requests, enforce tighter controls on remote access, educate employees on how to recognize phishing attempts, and establish clear reporting mechanisms for suspicious communications. Blocking individual websites or IP addresses is insufficient; a comprehensive security framework is essential for protecting sensitive data in a landscape increasingly plagued by cyber threats.
By analyzing the MITRE ATT&CK framework, relevant tactics such as initial access, social engineering, and data exfiltration illustrate the multifaceted nature of these attacks, reinforcing the critical need for proactive cybersecurity measures within the legal sector.