The FBI has issued a warning to U.S. law firms about an alarming increase in attacks by the Silent Ransom Group (SRG), an extortion gang also known by aliases such as Chatty Spider, Luna Moth, and UNC3753. Active since 2022, SRG is now evolving its tactics — and becoming more aggressive.
Historically, SRG relied on callback phishing emails, impersonating legitimate businesses and tricking victims into calling a fake support number. These emails often referenced bogus subscription fees, prompting victims to dial in and cancel the charges. Once on the phone, attackers would direct targets to download remote access software, gaining full access to their systems.
But as of March 2025, the group has pivoted. According to a new FBI flash alert, SRG now initiates contact with phone calls, posing as internal IT staff. They convince employees to join a “support session” through emailed links or fake login pages — granting attackers remote access to sensitive devices.
From Phishing to Privilege Escalation
Once inside, the group pretends maintenance work is underway overnight. In reality, they use legitimate tools like WinSCP and Rclone to exfiltrate sensitive data, escalating privileges as needed. The stolen data is then used to pressure victims into paying a ransom.
SRG’s attacks don’t stop at email. Victim organizations often receive follow-up calls, voicemails, and emails threatening to publish stolen data unless a ransom is paid. The group even runs a leak site, although it inconsistently publishes the stolen files.
While law firms are SRG’s primary focus, the group has also targeted medical providers and insurance companies, industries where data sensitivity is high and reputational damage is severe.
What makes Silent Ransom Group attacks particularly dangerous is their stealth. By leveraging legitimate software for access and exfiltration, SRG often leaves minimal forensic evidence. This makes detection difficult for traditional antivirus or endpoint protection tools.
How to Detect and Defend Against SRG
The FBI advises organizations to stay alert for signs of SRG activity:
- Unauthorized downloads of remote access tools
- WinSCP or Rclone network activity
- Subscription scam emails or unexpected payment notices
- Unsolicited phone calls from supposed IT personnel
- Any ransom communications including emails, voicemails, or follow-up calls
To reduce risk, companies should:
- Train employees to recognize phishing and social engineering tactics
- Require multi-factor authentication (MFA) for all internal systems
- Enforce clear policies for how IT staff interact with employees
- Maintain offline backups of critical data
- Monitor remote access tools and file transfer utilities closely
The FBI is also asking any SRG victims to come forward with helpful details such as ransom notes, cryptocurrency wallets, phone numbers, voicemail recordings, and email headers that could aid in ongoing investigations.
As cyber extortion campaigns grow more sophisticated, especially those using social engineering and remote access, organizations must adapt their defense strategies and boost employee awareness to stay protected.
