The FBI has warned that the Silent Ransom Group, also known as SRG, is now targeting law firms in the United States using a mix of phone-based social engineering, phishing emails, and even in-person data theft attempts.
According to an FBI flash alert issued on Tuesday, the group has been using a new tactic since spring 2026. Attackers pretend to be employees from a victim company’s IT department and either call staff directly or send phishing emails asking them to contact fake IT support.
Once the employee is on the phone, the attacker tries to convince them to allow access to a remote desktop session. If that fails, the group may send someone physically to the victim’s office to access the computer and connect a USB drive or external hard drive to steal data.
The FBI said companies should watch for warning signs such as unknown people claiming to be IT support, unauthorized attempts to access computers, or the unexpected use of external storage devices on company machines.
The stolen data is then used for extortion. SRG sends ransom emails threatening to sell or publish the stolen information on its leak site. The group may also call employees or clients of the victim organization to increase pressure and push the company into ransom negotiations.
Silent Ransom Group is also tracked under other names, including Luna Moth, Chatty Spider, and UNC3753. The group has been active since at least 2022 and has mainly targeted legal and financial organizations in the United States since early 2023.
The same threat actors were previously linked to BazarCall campaigns, which were used to gain initial access to corporate networks for Conti and Ryuk ransomware attacks. After the Conti operation shut down in March 2022, the group separated from the larger cybercrime network and began operating as Silent Ransom Group, focusing on data theft and extortion through targeted phishing attacks.
This latest warning follows a previous FBI notice from May 2025, which said the group had been targeting U.S. law firms for more than two years using callback phishing and social engineering tactics.
A separate May 2025 report from EclecticIQ also found that the attackers were registering fake domains to impersonate IT helpdesk and support portals for major U.S. law firms and financial services companies. These domains often used typosquatted names to look similar to real company websites and make the scams appear more convincing.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
